mirror of
https://gitlab.isc.org/isc-projects/kea
synced 2025-08-31 14:05:33 +00:00
128 lines
4.9 KiB
JSON
128 lines
4.9 KiB
JSON
// This is an example configuration file for D2, Kea's DHCP-DDNS processor.
|
|
// It uses the GSS-TSIG hook library.
|
|
{
|
|
"DhcpDdns": {
|
|
// The following parameters are used to receive NCRs (NameChangeRequests)
|
|
// from the local Kea DHCP server. Make sure your kea-dhcp4 and kea-dhcp6
|
|
// matches this.
|
|
"ip-address": "127.0.0.1",
|
|
"port": 53001,
|
|
"dns-server-timeout" : 1000,
|
|
|
|
// Forward zone: secure.example.org. It uses GSS-TSIG. It is served
|
|
// by two DNS servers, which listen for DDNS requests at 192.0.2.1
|
|
// and 192.0.2.2.
|
|
"forward-ddns":
|
|
{
|
|
"ddns-domains":
|
|
[
|
|
// DdnsDomain for zone "secure.example.org."
|
|
{
|
|
"name": "secure.example.org.",
|
|
"comment": "DdnsDomain example",
|
|
"dns-servers":
|
|
[
|
|
{
|
|
// This server has an entry in gss/servers and
|
|
// thus will use GSS-TSIG.
|
|
"ip-address": "192.0.2.1"
|
|
},
|
|
{
|
|
// This server also has an entry there, so will
|
|
// use GSS-TSIG, too.
|
|
"ip-address": "192.0.2.2",
|
|
"port": 5300
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
|
|
// Reverse zone: we want to update the reverse zone "2.0.192.in-addr.arpa".
|
|
"reverse-ddns":
|
|
{
|
|
"ddns-domains":
|
|
[
|
|
{
|
|
"name": "2.0.192.in-addr.arpa.",
|
|
"dns-servers":
|
|
[
|
|
{
|
|
// There is GSS-TSIG definition for this server (see
|
|
// DhcpDdns/gss-tsig/servers), so it will use
|
|
// Krb/GSS-TSIG.
|
|
"ip-address": "192.0.2.1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
|
|
// The GSS-TSIG hook is loaded and its configuration is specified here.
|
|
"hooks-libraries": [
|
|
{
|
|
"library": "/opt/lib/libddns_gss_tsig.so",
|
|
"parameters": {
|
|
// This section governs the GSS-TSIG integration. Each server
|
|
// mentioned in forward-ddns and/or reverse-ddns needs to have
|
|
// an entry here to be able to use GSS-TSIG defaults (optional,
|
|
// if specified they apply to all the GSS-TSIG servers, unless
|
|
// overwritten on specific server level).
|
|
|
|
"server-principal": "DNS/server.example.org@EXAMPLE.ORG",
|
|
"client-principal": "DHCP/admin.example.org@EXAMPLE.ORG",
|
|
|
|
// client-keytab and credentials-cache can both be used to
|
|
// store client keys. As credentials cache is more flexible,
|
|
// it is recommended to use it. Typically, using both at the
|
|
// same time may cause problems.
|
|
// "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only
|
|
"credentials-cache": "FILE:/etc/ccache", // toplevel only
|
|
|
|
"gss-replay-flag": true, // GSS anti replay service
|
|
"gss-sequence-flag": false, // no GSS sequence service
|
|
"tkey-lifetime": 3600, // 1 hour
|
|
"rekey-interval": 2700, // 45 minutes
|
|
"retry-interval": 120, // 2 minutes
|
|
"tkey-protocol": "TCP",
|
|
"fallback": false,
|
|
|
|
// The list of GSS-TSIG capable servers
|
|
"servers": [
|
|
{
|
|
// First server (identification is required)
|
|
"id": "server1",
|
|
"domain-names": [ ], // if not specified or empty, will
|
|
// match all domains that want to
|
|
// use this IP+port pair
|
|
"ip-address": "192.0.2.1",
|
|
"port": 53,
|
|
"server-principal": "DNS/server1.example.org@EXAMPLE.ORG",
|
|
"client-principal": "DHCP/admin1.example.org@EXAMPLE.ORG",
|
|
"gss-replay-flag": false, // no GSS anti replay service
|
|
"gss-sequence-flag": false, // no GSS sequence service
|
|
"tkey-lifetime": 7200, // 2 hours
|
|
"rekey-interval": 5400, // 90 minutes
|
|
"retry-interval": 240, // 4 minutes
|
|
"tkey-protocol": "TCP",
|
|
"fallback": true // if no key is available fallback to the
|
|
// standard behavior (vs skip this server)
|
|
},
|
|
{
|
|
// The second server (it has most of the parameters missing
|
|
// as those are using the defaults specified above)
|
|
"id": "server2",
|
|
"ip-address": "192.0.2.2",
|
|
"port": 5300
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
|
|
// Additional parameters, such as logging, control socket and
|
|
// others omitted for clarity.
|
|
}
|
|
|
|
}
|