Configuring BIND as an RFC 2136 Dynamic DNS Server

If the DNS for a domain is directly controlled on a BIND server, RFC 2136 Dynamic DNS support can be setup for use by pfSense®. This section shows how to configure BIND to support this feature.

The exact location of the configuration directory for BIND will vary by operating system. It could be in /usr/local/etc/namedb/, /etc/namedb/, or elsewhere.

See also

See Configuring RFC 2136 Dynamic DNS updates for more information on RFC 2136 Dynamic DNS.

Configure the BIND Server

On the server in named.conf, add the following block:

include "/etc/namedb/dns.keys.conf";
zone "" {
     type master;
     file "dynamic/";
     update-policy { grant * self . A AAAA; };

Then create the initial zone file. BIND requires read/write access to this file and the directory in which it resides so that the zone and its journal may be updated.


BIND will rewrite this zone file, which is why a subdomain is used in the example.

From there, create the zone file for the new dynamic zone, dynamic/

$ORIGIN      .
$TTL 30      ; 30 seconds              IN SOA (
                             2016062801 ; serial
                             3600       ; refresh (1 hour)
                             600        ; retry (10 minutes)
                             2600       ; expire (43 minutes 20 seconds)
                             30         ; minimum (30 seconds)

Reload the named service using rndc reload or a similar command, and then if any slave name servers are in place, add a zone to those servers as well:

zone "" {
     type slave;
     file "dynamic/";
     masters{; };

For BIND 9.16+ create an entry using tsig-keygen:

# tsig-keygen -a hmac-sha256
key "" {
     algorithm hmac-md5;
     secret "/0/4bxF9A08n/zke/vANyQ==";

Add that key to dns.keys.conf manually or by redirecting command output:

# tsig-keygen -a hmac-sha256 >> /etc/namedb/dns.keys.conf

For BIND version < 9.16, follow the next steps.

On the master name server, make the keys directory:

# mkdir -p /etc/namedb/keys

And now generate a host key. The second line is the output of the command, not part of the command itself.

# /usr/sbin/dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST

The output is the first part of the filename for the key, it will append .private to one file and .key to another. Both contain the same data in different formats.

Now read the key from the new key file:

# /usr/bin/grep ^Key: /etc/namedb/keys/ | /usr/bin/awk '{ print $2; }'

And then add that key to dns.keys.conf:

key "" {
     algorithm hmac-md5;
     secret "/0/4bxF9A08n/zke/vANyQ==";

This can be automated with a simple script,

/bin/mkdir -p ${KEY_DIR}
cd ${KEY_DIR}
KEY_FILE_NAME=`/usr/sbin/dnssec-keygen -K ${KEY_DIR} -a HMAC-MD5 -b 128 -n HOST ${KEY_NAME}.`
KEY_TEXT=`/usr/bin/grep "^Key:" ${KEY_DIR}/${KEY_FILE_NAME}.private | /usr/bin/awk '{ print $2; }'`
echo "key ${KEY_NAME}. {" >> ${KEYS_CONFIG}
echo "       algorithm hmac-md5;" >> ${KEYS_CONFIG}
echo "       secret \"${KEY_TEXT}\";" >> ${KEYS_CONFIG}
echo "};" >> ${KEYS_CONFIG}
echo "Key for ${KEY_NAME} is: ${KEY_TEXT}"

After making the file, make it executable:

# chmod u+x

To use the script:

# ./
# rndc reload

Configuring a Client in pfSense Software

To add a DynDNS entry in the pfSense software GUI:

  • Navigate to Services > Dynamic DNS, RFC 2136 tab

  • Click fa-plus Add to create a new entry with the following settings:






    The fully qualified hostname, e.g.



    Key Name

    The fully qualified hostname again, exactly:

    Key algorithm



    Secret key for this hostname


    The IP address or hostname of the BIND server




    My DynDNS Entry

  • Click Save

Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC 2136 DynDNS service is now working. If the update does not work, check the BIND log and the system log on the firewall.