Информация об ip адресе или домене

Как выполнить обновление DSM продукта Synology?

  • Проверьте версию DSM продукта Synology на странице «Основное меню > Панель управления > Обновление DSM» пользовательского веб-интерфейса управления.
  • Перейдите по адресу http://www.synology.com/support/download.php?lang=enu и проверьте наличие новой версии DSM для своего продукта Synology. Если обновления есть, загрузите файл .zip последней версии DSM на локальный диск и распакуйте его, чтобы извлечь файл .pat. Если вы не можете найти файл .pat, ознакомьтесь с данной информацией.Примечание.(Перед обновлением продукта Synology ознакомьтесь с примечанием к новой версии.)
  • Для обновления продукта Synology перейдите на страницу «Основное меню > Панель управления > Обновление DSM» пользовательского веб-интерфейса управления. Нажмите Обзор, выберите распакованный файл обновления .pat и нажмите OK.
  • Система выполнит обновление DSM и автоматически перезагрузит компьютер после завершения.

Примечание. Обычно при обновлении DSM продукта Synology данные на продукте Synology не затрагиваются. Однако для обеспечения безопасности перед обновлением рекомендуется выполнить резервирование данных.

Update policy¶

New in version 4.1.0.

You can define a Lua script to handle DNS UPDATE message
authorization. The Lua script is to contain at least function called
which accepts one parameter. This parameter is an
object, containing all the information for the request. To permit
change, return true, otherwise return false. The script is called for
each record at a time and you can approve or reject any or all.

The object has following methods available:

  • — name to update
  • — zone name
  • — record type, it can be 255(ANY) for delete.
  • — local socket address
  • — remote socket address
  • — real remote address (or netmask if EDNS Subnet is used)
  • — TSIG key name (you can assume it is validated here)
  • — Return peer principal name (,
    , )

There are many same things available as in recursor Lua scripts, but
there is also which returns array of records.
Example:

resolve("www.google.com", pdns.A)

You can use this to perform DNS lookups. If your resolver cannot find
your local records, then this will not find them either. In other words,
resolve does not perform local lookup.

Simple example script:

--- This script is not suitable for production use

function strpos (haystack, needle, offset)
  local pattern = string.format("(%s)", needle)
  local i       = string.find (haystack, pattern, (offset or ))
  return (i ~= nil and i or false)
end

function updatepolicy(input)
  princ = inputgetPeerPrincipal()

  if princ == ""
  then
    return false
  end

  if princ == "admin@DOMAIN" or inputgetRemote():toString() == "192.168.1.1"
  then
    return true
  end

  if (inputgetQType() == pdns.A or inputgetQType() == pdns.AAAA) and princsub(5,5) == '/' and strpos(princ, "@", ) ~= false
  then
    i = strpos(princ, "@", )
    if princsub(i) ~= "@DOMAIN"
    then
      return false
    end
    hostname = princsub(6, i-1)
    if inputgetQName():toString() == hostname .. "." or inputgetQName():toString() == hostname .. "." .. inputgetZoneName():toString()
    then
      return true
    end
  end

  return false
end

Some useful commands

All these commands assume that the DNS server is running on 127.0.0.2 with default ports (53 for DNS, 80 for HTTP, 443 for HTTPS).

Update a name with a new IPv4 or IPv6 address:

Same with and over HTTPS:

Note: Don’t use the self-signed certificate of your CA with . For some reason this causes OpenSSL to freak out and block the entire HTTP/HTTPS interface. Please let me know if you know why.

Send an USR1 signal to the server to make it pick up changes from the
YAML database file:

Shutdown the server by sending it the INT signal (like pressing ):

Query IPv4 (A), IPv6 (AAAA) or both (ANY) records from DNS server running on 127.0.0.2:

Query the servers start of authority (SOA) record:

Advanced topics

Update URL

The update URL you want to tell your clients (humans or scripts ^^) consists of the following

where:

  • the protocol depends on your (webserver/proxy) settings
  • USER and PASSWORD are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
  • DOMAIN should match what you defined in your config.yaml as domain but may be anything else when using a webserver as proxy
  • PORT depends on your (webserver/proxy) settings
  • HOSTNAMES is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
  • MYIP is optional and the HTTP client’s IP address will be used if missing
  • MYIP6 is optional but if present also requires presence of MYIP

IP address determination

The following rules apply:

  • use any IP address provided via the myip parameter when present, or
  • use any IP address provided via the X-Real-IP header e.g. when used behind HTTP reverse proxy such as nginx, or
  • use any IP address used by the connecting HTTP client

If you want to provide an additional IPv6 address as myip6 parameter, the myip parameter containing an IPv4 address has to be present, too! No automatism is applied then.

SSL, multiple listen ports

Use a webserver as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.

Init scripts

The Debian 6 init.d script assumes that dyndnsd.rb is installed into the system ruby (no RVM support) and the config.yaml is at /opt/dyndnsd/config.yaml. Modify to your needs.

Monitoring

host: "0.0.0.0"
port: "8245" # the DynDNS.com alternative HTTP port
db: "/opt/dyndnsd/db.json"
domain: "dyn.example.org"
# configure the Graphite backend to be used instead of proctitle
graphite:
  host: localhost # defaults for host and port of a carbon server
  port: 2003
  prefix: "my.graphite.metrics.naming.structure.dyndnsd"
# OR configure the textfile reporter instead of Graphite/proctitle
textfile:
  file: /path/to/file.prom
  prefix: "my.graphite.metrics.naming.structure.dyndnsd"
# configure the updater, here we use command_with_bind_zone, params are updater-specific
updater:
  name: "command_with_bind_zone"
  params:
    zone_file: "dyn.zone"
    command: "echo 'Hello'"
    ttl: "5m"
    dns: "dns.example.org."
    email_addr: "admin.example.org."
# user database with hostnames a user is allowed to update
users:
  # 'foo' is username, 'secret' the password
  foo:
    password: "secret"
    hosts:
      - foo.example.org
      - bar.example.org
  test:
    password: "ihavenohosts"

Tracing (experimental)

Currently only one OpenTracing-compatible tracer implementation named CNCF Jaeger can be configured to use with dyndnsd.rb.

host: "0.0.0.0"
port: "8245" # the DynDNS.com alternative HTTP port
db: "/opt/dyndnsd/db.json"
domain: "dyn.example.org"
# enable and configure tracing using the (currently only) tracer jaeger
tracing:
  trust_incoming_span: false # default value, change to accept incoming OpenTracing spans as parents
  jaeger:
    host: 127.0.0.1 # defaults for host and port of local jaeger-agent
    port: 6831
    service_name: "my.dyndnsd.identifier"
# configure the updater, here we use command_with_bind_zone, params are updater-specific
updater:
  name: "command_with_bind_zone"
  params:
    zone_file: "dyn.zone"
    command: "echo 'Hello'"
    ttl: "5m"
    dns: "dns.example.org."
    email_addr: "admin.example.org."
# user database with hostnames a user is allowed to update
users:
  # 'foo' is username, 'secret' the password
  foo:
    password: "secret"
    hosts:
      - foo.example.org
      - bar.example.org
  test:
    password: "ihavenohosts"

Top dyndns Answerers

All Time

30

Xavier Lucas

2,0521414 silver badges1818 bronze badges

7

Rex M

129k2828 gold badges265265 silver badges304304 bronze badges

7

Arty

64555 silver badges99 bronze badges

6

Brandon

12.8k1515 gold badges6363 silver badges105105 bronze badges

5

araqnid

95.7k1919 gold badges136136 silver badges118118 bronze badges

5

Sandman4

2,39522 gold badges1919 silver badges1818 bronze badges

5

VB_

41.2k2424 gold badges9393 silver badges197197 bronze badges

5

Comexe user

5111 silver badge33 bronze badges

4

Fusspawn

1,3951111 silver badges1919 bronze badges

4

DOA

15311 silver badge77 bronze badges

3

Seth

36.9k99 gold badges7878 silver badges115115 bronze badges

3

Joe Hildebrand

9,16511 gold badge2828 silver badges4141 bronze badges

3

antlersoft

13.7k33 gold badges2424 silver badges4747 bronze badges

3

radubogdan

2,4861212 silver badges2525 bronze badges

2

james

83455 silver badges77 bronze badges

2

Vitor Baptista

1,27511 gold badge1212 silver badges1818 bronze badges

2

Alex Howansky

40.8k55 gold badges6262 silver badges8888 bronze badges

2

Ben Taitelbaum

6,79233 gold badges2121 silver badges4343 bronze badges

2

dirkk0

1,7902121 silver badges3030 bronze badges

2

Mike Pennington

35.8k1515 gold badges116116 silver badges159159 bronze badges

Using dyndnsd.rb with NSD

NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple config file.

host: "0.0.0.0"
port: "8245" # the DynDNS.com alternative HTTP port
db: "/opt/dyndnsd/db.json"
domain: "dyn.example.org"
updater:
  name: "command_with_bind_zone"
  params:
    # make sure to register zone file in your nsd.conf
    zone_file: "/etc/nsd3/dyn.example.org.zone"
    # fake DNS update (discards NSD stats)
    command: "nsdc rebuild; nsdc reload"
    ttl: "5m"
    dns: "dns.example.org."
    email_addr: "admin.example.org."
    # specify additional raw BIND-style zone content
    # here: an A record for dyn.example.org itself
    additional_zone_content: "@ IN A 1.2.3.4"
users:
  foo:
    password: "secret"
    hosts:
      - foo.example.org  

Start dyndnsd.rb before NSD to make sure the zone file exists else NSD complains.

Основные возможности кластера серверов

  • кластер серверов может функционировать на одном или нескольких компьютерах (рабочих серверах);
  • на каждом рабочем сервере может функционировать один или несколько рабочих процессов, обслуживающих клиентские соединения в рамках данного кластера;
  • подключение новых клиентов к рабочим процессам кластера выполняется на основе анализа долгосрочной статистики загруженности рабочих процессов;
  • взаимодействие процессов кластера с клиентскими приложениями, между собой и с сервером баз данных осуществляется по протоколу TCP/IP;
  • процессы кластера сервера могут быть запущены как приложение, или как сервис.

Installation

  • Make sure you have Ruby 1.9 or 2 installed (e.g. the package on Debian Linux).

  • Download dns.rb, config.yml and db.yml. These three files are all you need.

  • Modify to match your setup, especially the , and settings.

  • Modify to contain your subdomains and passwords. For example:

    The IP addresses themselfs are best added later on via the HTTP interface. Either by your router or via a command line script (see «Some useful commands» later on).

  • Run the server: . To stop it press .

Right now I just leave it running within a terminal. But feel free to automatically start it on server boot up. If you want you can also redirect into an access log file and into an error log file.

Quick Guide

Nameserver

has to be configured to serve the updatable zone.

Somewhere in , add

and must be writable for bind.

Create the empty zone file

If you want to use as the hostname for the server that gets IP update requests later, add a record to the zone file (this requires the -server to have this static IP, means the zone name itself).

sftdyn

To install sftdyn, use or .

Launch it with .

Configuration is by command-line parameters and conf file.
A sample conf file is provided in .
If no conf file name is provided, is used.
Hostnames/update keys are specified in the conf file.

should run under the same user as your DNS server, or it might not be able to update it properly.

systemd service

To run automatically, you can use a systemd service.

The distribution package should automatically install .

If you have to manually install it, use the example unit
and copy it to on the host machine.

Enable the launch on boot and also start now:

Unencrypted operation

You can use in plain HTTP mode.
Your average commercial dynamic DNS provider provides a HTTP interface, so most routers only support that.

Somebody could grab your «secret url» with this and perform unintended updates of your record.

Encrypted operation

Let’s Encrypt

Make sure the certificate is valid for the domain your is getting requests for.

A request to to update an IP will then be secure (e.g. with ).

Self-signed certificate

To generate and a self-signed valid for 1337 days:

Make sure you enter your server’s domain name for Common Name (the hostname you’ll use for querying with clients.

A request to to update an IP will then be more secure than a globally valid certificate like from Let’s Encrypt, but you’ll need to transfer the to the device performing the request (e.g. with ).

Client

The client triggers the IP update at the server, so your DNS then delivers the correct IP.

Request with

If you want to update the external IP of some NAT gateway (like home router, …), and you have a machine in that network which can use , choose this client method.

If you use HTTPS with a self-signed certificate, will refuse to talk to the server.

  • Use to ignore the error (Warning: see the security considerations below).
  • Copy to the client, and use .
HTTP code Text Response interpretation
200 OK Update successful
200 UPTODATE Update unneccesary
403 BADKEY Unknown update key
500 FAIL Internal error (see the server log)
200 your ip Returned if no key is provided
systemd timer

timers are like cronjobs. Use them to periodically run the update query.

Create :

Create :

Activate the timer firing with:

Verify the timer is scheduled:

To manually trigger the update (e.g. for testing purposes):

General Usage

Install the gem:

Create a configuration file in YAML format somewhere:

# listen address and port
host: "0.0.0.0"
port: "80"
# optional: drop privileges in case you want to but you may need sudo for external commands
user: "nobody"
group: "nogroup"
# logfile is optional, logs to STDOUT otherwise
logfile: "dyndnsd.log"
# internal database file
db: "db.json"
# all hostnames are required to be cool-name.example.org
domain: "example.org"
# configure the updater, here we use command_with_bind_zone, params are updater-specific
updater:
  name: "command_with_bind_zone"
  params:
    zone_file: "dyn.zone"
    command: "echo 'Hello'"
    ttl: "5m"
    dns: "dns.example.org."
    email_addr: "admin.example.org."
# user database with hostnames a user is allowed to update
users:
  # 'foo' is username, 'secret' the password
  foo:
    password: "secret"
    hosts:
      - foo.example.org
      - bar.example.org
  test:
    password: "ihavenohosts"

Run dyndnsd.rb by:

Configuration options¶

There are two configuration parameters that can be used within the
powerdns configuration file.

A setting to enable/disable DNS update support completely. The default
is no, which means that DNS updates are ignored by PowerDNS (no message
is logged about this!). Change the setting to to
enable DNS update support. Default is .

A list of IP ranges that are allowed to perform updates on any domain.
The default is , which means that all loopback addresses are accepted.
Multiple entries can be used on this line
(). The option can
be left empty to disallow everything, this then should be used in
combination with the domain metadata setting per
zone. Setting a range here and in enables updates
from either address range.

Tell PowerDNS to forward to the master server if the zone is configured
as slave. Masters are determined by the masters field in the domains
table. The default behaviour is enabled (yes), which means that it will
try to forward. In the processing of the update packet, the
and are processed
first, so those permissions apply before the is
used. It will try all masters that you have configured until one is
successful.

Top dyndns Askers

All Time

16

max54

26022 silver badges1212 bronze badges

10

Sebastian

16311 silver badge77 bronze badges

10

ylnor

2,33911 gold badge1212 silver badges3030 bronze badges

5

knipknap

4,50855 gold badges3232 silver badges3939 bronze badges

3

user3011768

18111 gold badge33 silver badges1010 bronze badges

3

mika

1,8771616 silver badges2020 bronze badges

2

michael

2,31711 gold badge3535 silver badges5858 bronze badges

2

Martin

5,4951212 gold badges5151 silver badges7878 bronze badges

2

Kite

3122 bronze badges

2

Sam

29711 gold badge44 silver badges1313 bronze badges

2

Litch

64666 silver badges1616 bronze badges

2

bash-

4,82699 gold badges3434 silver badges5050 bronze badges

2

Vaibhav

1,44988 silver badges1313 bronze badges

2

Arpith

49022 gold badges88 silver badges2424 bronze badges

2

BOC

95999 silver badges1919 bronze badges

2

Zarkov

2311 silver badge44 bronze badges

1

Dracknes

7922 silver badges1010 bronze badges

1

Dario Rusignuolo

1,55144 gold badges2323 silver badges5656 bronze badges

1

John Rumpel

3,86533 gold badges2626 silver badges4242 bronze badges

1

developer

3,75655 gold badges3131 silver badges4848 bronze badges

Only non community-wiki questions and answers are included in these totals (updated daily)

HTTP/HTTPS interface to update IPs

The HTTP interface is very minimalistic: The server only understands one HTTP request to update or invalidate IP addresses. This isn’t a webinterface you can use in your browser! Rather it’s the interface your router can use to automatically report a changed IP to the DNS server (look for something like DynDNS in your router configuration). The HTTP interface is inspired by DynDNS and others so routers can easily be configured to report to this DNS server.

HTTP basic auth is used for all HTTP requests. The username and password have to match one configured in the file. For example with the HTTP user and password you can update the IP address of the subdomain.

The HTTP request where is either an IPv4 or IPv6 address then assigns a new address to the subdomain matching the authentication.

If is an empty string () both the IPv4 and IPv6 address are invalidated. The server won’t return an IP for that subdomain until a new IP is assigned.

You can omit the parameter (just ). In that case the server will set the subdomain matching the authentication to whatever IP the client is using to connect to the HTTP interface. In the internet this is your public IP. If you use MiniDynDNS in a local network this will probably be a local IP address.

You can use on the command line or in scripts to assign a new IP to a subdomain (see «Some useful commands»). Languages like PHP and Ruby can also do HTTP requests directly.

SOA Serial Updates¶

After every update, the soa serial is updated as this is required by
section 3.7 of RFC 2136. The behaviour is configurable via domainmetadata
with the option. It has a number of options listed
below. If no behaviour is specified, DEFAULT is used.

defines some specific behaviour for updates of SOA
records. Whenever the SOA record is updated via the update message, the
logic to change the SOA is not executed.

Note

Powerdns will always use when serving SOA
records, thus a query for the SOA record of the recently update domain,
might have an unexpected result due to a SOA-EDIT setting.

An example:

sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);

This will make the SOA Serial increase by one, for every successful
update.

Security considerations

  • When using HTTP, or if your has been stolen or broken, an eavesdropper can steal your update key, and use that to steal your domain name.
  • When using HTTPS with , a man-in-the-middle can steal your update key.
  • When using HTTPS with a paid certificate, a man-in-the-middle with access to a CA can steal your update key (no problem for government agencies, but this is pretty unlikely to happen).
  • When using HTTPS with a self-signed certificate and , no man-in-the-middle can steal your update key.

is pretty minimalistic, and written in python, so it’s unlikely to contain any security vulnerabilities. The python ssl and http modules are used widely, and open-source, so there should be no security vulnerabilities there.

Somebody who knows a valid udpate key could semi-effectively DOS your server by spamming update requests from two different IPs. For each request, nsupdate would be launched and your zone file updated.

Пример использования DDNS и известные проблемы

Допустим, все было выполнено правильно, и дополнительно, на роутере включен ftp-сервер. Тогда, из любой точки мира – этот сервер становится доступен по следующему адресу: ftp://1234router.no-ip.biz:80. Пример, конечно, является правильным, если было получено доменное имя «1234router.no-ip.biz».

Иногда бывает, что по доменному имени – роутер, все же, становится недоступен. В этом случае, достаточно зайти на сайт сервиса, открыть учетную запись (или указать доменное имя) – и в окне на странице появится IP роутера. Проблема в том, что через некоторое время этот IP может смениться.

Но, в принципе, такой метод тоже является актуальным: вместо «1234router…» указывается IP-адрес (который в действительности назначен порту WAN). Возможность увидеть значение IP – предоставляется любым из сервисов, причем, без каких-либо проблем.

IPv6 support

Supported provider(s):

  • Cloudflare
  • HE.net
  • DNSPod
  • DuckDNS
  • Google Domains

To enable the mode of GoDNS, you only need two steps:

  • Set the as , and make sure the is configured.
  • Add one record to your provider.

For example:

{
  "domains": 
    }
  ],
  "ipv6_url": "https://api-ipv6.ip.sb/ip",
  "ip_type": "IPv6"
}

Config example for Cloudflare

{
  "provider": "Cloudflare",
  "email": "you@example.com",
  "password": "Global API Key",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

Using the API Token

{
  "provider": "Cloudflare",
  "login_token": "API Token",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

Config example for DNSPod

{
  "provider": "DNSPod",
  "login_token": "your_id,your_token",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "ip_type": "IPV4",
  "interval": 300,
  "socks5_proxy": ""
}

Config example for Google Domains

{
  "provider": "Google",
  "email": "Your_Username",
  "password": "Your_Password",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

Config example for AliDNS

{
  "provider": "AliDNS",
  "email": "AccessKeyID",
  "password": "AccessKeySecret",
  "login_token": "",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

Config example for DuckDNS

For DuckDNS, only need to provide the , config 1 default domain & subdomains.

{
  "provider": "DuckDNS",
  "password": "",
  "login_token": "3aaaaaaaa-f411-4198-a5dc-8381cac61b87",
  "domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

Config example for HE.net

{
  "provider": "HE",
  "password": "YourPassword",
  "login_token": "",
  "domains": 
    },{
      "domain_name": "example2.com",
      "sub_domains": 
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "socks5_proxy": ""
}

HE.net DDNS configuration

Add a new «A record», make sure that «Enable entry for dynamic dns» is checked:

Fill your own DDNS key or generate a random DDNS key for this new created «A record»:

Remember the DDNS key and fill it as password to the config.json.

NOTICE: If you have multiple domains or subdomains, make sure their DDNS key are the same.

Get an IP address from the interface

For some reasons if you want to get an IP directly from the interface, say for Linux or for Windows, update config file like this:

  "ip_url": "",
  "ip_interface": "eth0",

If you set both and , it first tries to get an IP address online, and if not succeed, gets
an IP address from the interface as a fallback.

Note that IPv6 address will be ignored currently.

Email notification support

Update config file and provide your SMTP options, a notification mail will be sent to your mailbox once the IP is changed and updated.

  "notify": {
    "mail": {
      "enabled": true,
      "smtp_server": "smtp.example.com",
      "smtp_username": "user",
      "smtp_password": "password",
      "smtp_port": 25,
      "send_to": "my_mail@example.com"
    }
  }

Notification mail example:

Telegram notification support

Update config file and provide your Telegram options, a notification message will be sent to your telegram channel once the IP is changed and updated.

  "notify": {
    "telegram": {
      "enabled": true,
      "bot_api_key": "11111:aaaa-bbbb",
      "chat_id": "-123456",
      "message_template": "Domain *{{ .Domain }}* is updated to %0A{{ .CurrentIP }}"
    },
  }

Markdown is supported in message template, and use for newline.

SOCKS5 proxy support

You can also use SOCKS5 proxy, just fill SOCKS5 address to the item:

"socks5_proxy": "127.0.0.1:7070"

Now all the queries will go through the specified SOCKS5 proxy.

Per zone settings¶

For permissions, a number of per zone settings are available via the
domain metadata.

ALLOW-DNSUPDATE-FROM

This setting has the same function as described in the configuration
options (See ). Only one item is
allowed per row, but multiple rows can be added. An example:

sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’198.51.100.0/8’);
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’203.0.113.2/32’);

This will allow 198.51.100.0/8 and 203.0.113.2/32 to send DNS update
messages for the example.org domain.

TSIG-ALLOW-DNSUPDATE

This setting allows you to set the TSIG key required to do an DNS
update. If you have GSS-TSIG enabled, you can use Kerberos principals
here. An example, using pdnsutil to create the key:

$ pdnsutil generate-tsig-key test hmac-md5
Create new TSIG key test hmac-md5 kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');

An example of how to use a TSIG key with the nsupdate command:

nsupdate  
zone example.org
update add test1.example.org 3600 A 203.0.113.1
key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
send
!

If a TSIG key is set for the domain, it is required to be used for the
update. The TSIG is an alternative means of securing updates, instead of using the
setting. If a TSIG key is set, and if is set,
the IP(-range) of the updater still needs to be allowed via .

FORWARD-DNSUPDATE

See for what it does,
but per domain.

sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’);

There is no content, the existence of the entry enables the forwarding.
This domain-specific setting is only useful when the configuration
option is set to ‘no’, as that will disable it
globally. Using the domainmetadata setting than allows you to enable it
per domain.

NOTIFY-DNSUPDATE

Send a notification to all slave servers after every update. This will
speed up the propagation of changes and is very useful for acme
verification.

sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘NOTIFY-DNSUPDATE’,’1’);
Ссылка на основную публикацию