ddns-rfc2317-rewrite-proxy is a lightweight reverse DDNS rewrite proxy designed to be used alongside Kea DHCP.
It re-introduces a feature available in ISC DHCP: the ability to override the default reverse DNS domain for dynamically generated PTR records.
This functionality is essential for delegating reverse DNS zones below octet boundaries, as described in RFC 2317.
The sunsetted ISC DHCP server supported the ddns-rev-domainname keyword, which allowed administrators to map PTR queries into alternate reverse-DNS subzones.
This made it possible to use classless (non-/24) IP delegations.
However, Kea does not implement this feature.
A merge request for its addition exists here: https://gitlab.isc.org/isc-projects/kea/-/merge_requests/2631
…but at the time of writing, it remains unaddressed.
ddns-rfc2317-rewrite-proxy acts as a reverse DDNS proxy sitting between Kea DHCP and your authoritative DNS server. It inspects DNS UPDATE messages, applies user-defined rewrite rules, and forwards the modified request upstream.
This allows administrators to regain fine-grained control over reverse delegation layouts without modifying Kea or running custom DHCP hooks.
{
"ip-address": "0.0.0.0",
"port": 5553,
"upstream": {
"ip-address": "10.0.0.1",
"port": 53
},
"tsig-keys": [
{
"name": "dhcp1-ns1",
"secret": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"algorithm": "hmac-sha256"
}
],
"zones": [
{
"name": "0.16.172.in-addr.arpa.",
"rewrite-rules": [
{
"host-start": 100,
"host-end": 126,
"delegated-zone-name": "100-126.0.16.172.in-addr.arpa."
}
]
}
]
}What this configuration means:
For updates to the zone 0.16.172.in-addr.arpa., any records whose host portion falls between 100 and 126 will be rewritten into the alternate delegated subzone 100-126.0.16.172.in-addr.arpa..
Example: incoming DNS UPDATE
id 57217
opcode UPDATE
rcode NOERROR
flags
;ZONE
0.16.172.in-addr.arpa. IN SOA
;PREREQ
;UPDATE
117.0.16.172.in-addr.arpa. 60 IN PTR mypc.example.com.
;ADDITIONAL
dhcp1-ns1. TSIG ...
Resulting proxied UPDATE
id 18812
opcode UPDATE
rcode NOERROR
flags
;ZONE
100-126.0.16.172.in-addr.arpa. IN SOA
;PREREQ
;UPDATE
117.100-126.0.16.172.in-addr.arpa. 60 IN PTR mypc.example.com.
;ADDITIONAL
dhcp1-ns1. TSIG ...
Only requests matching the user defined rules are rewritten. If a request does not match the zone name or host range, it is preserved and forwarded intact.
"forward-ddns": {
"ddns-domains": [
{
"name": "example.com.",
"key-name": "dhcp1-ns1",
"dns-servers": [
{
"ip-address": "127.0.0.1",
"port": 53
}
]
}
]
},
"reverse-ddns": {
"ddns-domains": [
{
"name": "0.16.172.in-addr.arpa.",
"key-name": "dhcp1-ns1",
"dns-servers": [
{
"ip-address": "127.0.0.1",
"port": 5553
}
]
}
]
},"subnet4": [
{
"id": 1,
"subnet": "172.16.0.0/25",
"option-data": [
{
"name": "routers",
"data": "172.16.0.1"
},
{
"name": "domain-name",
"data": "example.com"
}
],
"ddns-qualifying-suffix": "example.com",
"ddns-override-client-update": true,
"pools": [
{
"pool": "172.16.0.100 - 172.16.0.126",
"ddns-send-updates": true
}
],
"reservations": []
}
]