Bernhard Bock

Dynamic DNS with BIND

In the last couple of years, I made my home server reachable in the internet via a dynamic DNS provider ( While this worked pretty painless for a number of years, it has one big drawback: My host is in a foreign domain. DNS CNAMEs can reduce this problem, but I want my hosts to be in my own DNS domain.

So, I decided to use dynamic DNS updates with my BIND DNS server and TSIG (Transaction Signatures). Here’s a short howto:

  1. I created a DNS cryptographic key with dnssec-keygen.
  2. I allowed the key to remotely update my DNS server. For this, you need this line in your zone definition of bind.
    “mykey” refers to the file where the key definition is stored.
    allow-update { key "mykey"; };
  3. On my home server, I created a short script to update the DNS whenever my
    home IP address changes. With Ubuntu, this is easy by placing the script in
    The script calls the tool nsupdate, which is included with bind. I issue the commands
    server A.B.C.D
    update delete
    update add 5 A $4
  4. One caveat: On the DNS server, which is also Ubuntu-based, I needed to make /etc/bind group-writable with SGID bit, in order to allow BIND to create journal files and update zone files. Otherwise, it would return SERVFAIL and log “journal creation failed”.
  5. Done! Now my home host is always reachable at the same name in, even if the IP addess changes on each DSL dialup session.

The howto by Dag Wieers helped me a lot. Go there for more details.

— Jul 15, 2009