Dynamic DNS updates allow dhcpd to keep DNS synchronized with DHCP leases. This ensures that clients can be resolved by name immediately after receiving an IP.
Security is enforced via TSIG keys, which prevent unauthorized updates. Only the DHCP server and DNS server should know the key.
You must also configure BIND zones to allow updates from the key. DDNS is powerful but adds complexity. Be careful with stale records if clients move between subnets. Enable update-static-leases if you want reservations to update DNS as well.
In split DNS environments, ensure updates go to the correct authoritative server. Always protect TSIG keys, ideally storing them in Vault or another secret manager.
Without DDNS, DHCP and DNS drift apart, leading to troubleshooting headaches. With DDNS properly configured, your network has a living directory of mactive clients, improving usability and manageability across the board.
dhcpd can update A/PTR records when leases change.
On dhcpd:
ddns-update-style interim;
ddns-domainname "corp.example";
ddns-rev-domainname "in-addr.arpa.";
update-static-leases on;
key "dhcp-update" {
algorithm hmac-md5;
secret "BASE64TSIGKEY==";
}
zone corp.example. {
primary 10.0.0.53;
key dhcp-update;
}
zone 20.0.10.in-addr.arpa. {
primary 10.0.0.53;
key dhcp-update;
}On BIND (named):
key "dhcp-update" {
algorithm hmac-md5;
secret "BASE64TSIGKEY==";
};
zone "corp.example" IN {
type master;
file "corp.example.zone";
allow-update { key "dhcp-update"; };
};- TSIG keys secure updates.
- update-static-leases on; allows updates even for host reservations.