Dynamic DNS (RFC 2136)
homeDNS supports RFC 2136 update messages for dynamic record registration.
Update policy modes
Section titled “Update policy modes”| Mode | Trust anchor | Typical clients |
|---|---|---|
ip_acl | Source IP in allowed CIDRs | Microsoft DHCP non-secure mode |
tsig_required | Valid TSIG key | ISC dhcpd, nsupdate, MS simple-TSIG |
tsig_optional | Either ACL or TSIG | Mixed environments |
none | Updates disabled | Default |
Quick start
Section titled “Quick start”Enable policy on a zone:
dnsctl policy set --zone example.com --mode ip_acl \ --cidrs 10.0.0.0/24,127.0.0.0/8Or require TSIG:
dnsctl tsig add --name dhcp-update. --alg sha256 \ --secret "$(openssl rand -base64 32)"dnsctl policy set --zone example.com --mode tsig_required \ --keys dhcp-update.Validate with nsupdate:
nsupdate -y hmac-sha256:dhcp-update.:<base64-secret> <<EOFserver 127.0.0.1 53zone example.com.update add client01.example.com. 300 A 10.0.0.99sendEOF- GSS-TSIG (AD secure-only flow) is not supported in v1
- Treat TSIG secrets as credentials and rotate regularly
- Pair TSIG with CIDR restrictions when possible