wide area bonjour server setup

Set-up goal:
I have a laptop, whose IP address changes often. So I want it to be
reachable on “mbp-freek.macfreek.nl”. To do so, it must be able to sent
a messages to my DNS server to update the A record for
“mbp-freek.macfreek.nl”. Since I don’t want any computer in the world to
change it, I use a shared secret. My DNS server is mickey.macfreek.nl,
or (IPv4) and 2002:9163:9423::1 (IPv6).

I implemented mbp-freek.macfreek.nl as a subdomain of macfreek.nl;
that’s easier to maintain.

1. First, I need my DNS machine, mickey.macfreek.nl to be the
authoritive domain for the mbp-freek.macfreek.nl subdomain. The
authorative nameservers for macfreek.nl are:
% host -t NS macfreek.nl
macfreek.nl name server ns3.xel.nl.
macfreek.nl name server ns1.xel.nl.
macfreek.nl name server ns2.xel.nl.

To delegate the mbp-freek.macfreek.nl subdomain to mickey.macfreek.nl, I
make sure that the above name server have the following configuration:
mbp-freek IN NS mickey.macfreek.nl.
mickey IN A
mickey IN AAAA 2002:9163:9423::1
(Feel free to ignore the AAAA record — that’s only important if you
care about IPv6).

2. The second step is to configure the mbp-freek.macfreek.nl subdomain
at mickey.macfreek.nl. here is the relevant part of my BIND
configuration, found in named.conf:
// service discovery domain
zone “mbp-freek.macfreek.nl” {
type master;
file “mbp-freek.macfreek.nl.zone”;
// allow-update { any; };
allow-update { key mbp-freek.macfreek.nl.; };

Note that the “allow-update { any; };” can be useful for testing: it
would allow anyone in the world to change the DNS configuration, without
a password. That is fine for testing. Obviously, I now commented it out.

I recommend to first set “allow-update { any; };” and later add the key
if the basics work fine.

3. As a start, you need to create the zone file
(“mbp-freek.macfreek.nl.zone” in my configuration.) Be sure to create it
in the correct directory. If you use BIND, it is typically set with
“directory “/etc/bind”;” or “directory “/var/cache/bind”;”

Here is the contents of my zone file:
% cat mbp-freek.macfreek.nl.zone
$TTL 3600 ; 1 hour
mbp-freek.macfreek.nl IN SOA mickey.macfreek.nl.
hostmaster.macfreek.nl. (
3203 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
60 ; minimum (1 minute)
NS mickey.macfreek.nl.
$TTL 1 ; 1 second
AAAA 2002:3516:3292:1::1
$ORIGIN _dns-sd._udp.mbp-freek.macfreek.nl.
$TTL 3600 ; 1 hour
b PTR mbp-freek.macfreek.nl.
lb PTR mbp-freek.macfreek.nl.
r PTR mbp-freek.macfreek.nl.

Again, create this file with a sensible content. It will be changed on
the fly, but a good start helps a lot. Make sure the file and directory
are writable by your bind daemon.

4. Now, (re)start your bind server:
# /etc/init.d/bind9 restart
(or whatever you use to restart it)

5. Now I have to configure my laptop to tell mickey.macfreek.nl it’s IP
address every time that changes. I use the Bonjour preference pane for
that. You can download it from http://www.dns-sd.org/ClientSetup.html.

See the attached screenshot bonjour-config.tiff for my set-up. Note that
I only filled in the “Hostname” tab with “mbp-freek.macfreek.nl”.
The other tab are unchecked and empty! Also, note that I did not fill in
the name of my DNS server (mickey.macfreek.nl): that is not necessary,
since the Bonjour preference pane finds it by simply querying for the NS
record of “mbp-freek.macfreek.nl”. So for my set-up it really is
important that the public reachable DNS server point to my own server,
as explained in set 1.

6. Test if it works. Look in the log of your DNS server. Does the IP
address gets updated. For example, my BIND log reports:
updating zone: deleting rrset at ‘mbp-freek.macfreek.nl’ AAAA
updating zone: adding an RR at ‘mbp-freek.macfreek.nl’ AAAA
updating zone: deleting rrset at ‘mbp-freek.macfreek.nl’ A
updating zone: adding an RR at ‘mbp-freek.macfreek.nl’ A
updating zone: deleting an RR
(Note: I trimmed the log lines a bit for readability, and had to
increase the log verbosity for them to show up).

7. If it works fine, create a shared secret.
dnssec-keygen -a HMAC-MD5 -b 128 -n host mbp-freek.macfreek.nl.

Copy the key (which looks like “”)
And add it to your named.conf file:
key mbp-freek.macfreek.nl. {
algorithm hmac-md5;
secret “i94NgCObg/1t0NtauLB+QQ==”;
Also make sure the key is required to update the zone file:
zone “mbp-freek.macfreek.nl” {
type master;
file “mbp-freek.macfreek.nl.zone”;
allow-update { key mbp-freek.macfreek.nl.; };
(remove the “allow-update {any;};” if it’s still there.
finally, add the key to the Bonjour preference pane. You can do so by
clicking the “Password…” button in the “Hostname” tab.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s