DDNS Failed

Barry Finkel b19141 at achilles.ctd.anl.gov
Thu Nov 11 14:44:21 UTC 2004


Norman Zhang <norman.zhang at rd.arkonnetworks.com> wrote:

>I'm trying allow DDNS for a W2K3 machine to register AD.
>
>zone "hq.arkonnetworks.com" {
>   type master;
>   file "db.hq.arkonnetworks.com";
>   allow-update { key rndc-key; };
>};
>
>But I'm keep getting
>
>0x0000232A RCODE_SERVER_FAILURE
>
>I tried changing
>
>allow-update { 192.168.22.0/24; };
>
>but still fails. But all my Windows clients can do DDNS. DHCP is also on 
>the bind 9.2.3 box. May I ask what some tips please?

>I've attached both my dhcpd.conf and named.conf below. My W2K3 box has
>
>an IP 192.168.22.21. Any advice is greatly appreciated.
>
>Regards,
>Norman Zhang
>
># Server settings
>authoritative;
>ddns-update-style ad-hoc;
>
># Global settings
>option domain-name "hq.arkonnetworks.com";
>default-lease-time 21600;
>max-lease-time 43200;
>ddns-updates on;
>ddns-domainname "hq.arkonnetworks.com";
>ddns-rev-domainname "in-addr.arpa";
>
>key rndc-key {
>   algorithm hmac-md5;
>   secret "xxxx";
>}
>
>zone hq.arkonnetworks.com. {
>   primary 192.168.11.3;
>   key rndc-key;
>}
>
># LAN1 IP Range
>subnet 192.168.11.0 netmask 255.255.255.0 {
>   option domain-name-servers 192.168.11.3, 192.168.11.15,
>207.34.136.1, 
>204.174.64.1;
>   option ntp-servers 192.168.11.3;
>   option routers 192.168.11.1;
>   range 192.168.11.41 192.168.11.254;
>   zone 11.168.192.in-addr.arpa. {
>     primary 192.168.11.3;
>     key rndc-key;
>   }
>}
>	
># LAN2 IP Range
>subnet 192.168.22.0 netmask 255.255.255.0 {
>   option domain-name-servers 192.168.22.3, 192.168.22.15,
>207.34.136.1, 
>204.174.64.1;
>   option ntp-servers 192.168.22.3;
>   option routers 192.168.22.1;
>   range 192.168.22.41 192.168.22.254;
>   zone 22.168.192.in-addr.arpa. {
>     primary 192.168.22.3;
>     key rndc-key;
>   }
>}
>
>// generated by named-bootconf.pl
>
>options {
>   directory "/var/named";
>   forwarders { 207.34.136.1; 204.174.64.1; 204.174.65.1; };
>   pid-file "/var/run/named/named.pid";
>   /*
>    * If there is a firewall between you and nameservers you want
>    * to talk to, you might need to uncomment the query-source
>    * directive below.  Previous versions of BIND always asked
>    * questions using port 53, but BIND 8.1 uses an unprivileged
>    * port by default.
>    */
>   // query-source address * port 53;
>};
>
>
>// secret must be the same as in /etc/rndc.conf
>key "rndc-key" {
>   algorithm hmac-md5;
>   secret "xxxx";
>};
>
>controls {
>   inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
>};
>
>//
>// a caching only nameserver config
>//
>zone "." {
>   type hint;
>   file "db.cache";
>};
>
>zone "0.0.127.in-addr.arpa" {
>   type master;
>   file "db.127.0.0";
>};
>
>zone "hq.arkonnetworks.com" {
>   type master;
>   file "db.hq.arkonnetworks.com";
>   allow-update { key rndc-key; };
>};
>
>zone "arkonnetworks.com" {
>   type slave;
>   file "db.arkonnetworks.com";
>   masters { 207.34.136.1; };
>};
>
>zone "0-31.136.34.207.in-addr.arpa" {
>   type slave;
>   file "db.207.34.136.0";
>   masters { 207.34.136.1; };
>};
>
>zone "22.168.192.in-addr.arpa" {
>   type master;
>   file "db.192.168.22.0";
>   allow-update { key rndc-key; };
>};
>
>zone "11.168.192.in-addr.arpa" {
>   type master;
>   file "db.192.168.11.0";
>   allow-update { key rndc-key; };
>};
>
>zone "_msdcs.hq.arkonnetworks.com" {
>   type master;
>   file "db._msdcs.hq.arkonnetworks.com";
>   allow-update { 192.168.22.0/24; };
>};
>
>zone "_sites.hq.arkonnetworks.com" {
>   type master;
>   file "db._sites.hq.arkonnetworks.com";
>   allow-update { 192.168.22.0/24; };
>};
>
>zone "_tcp.hq.arkonnetworks.com" {
>   type master;
>   file "db._tcp.hq.arkonnetworks.com";
>   allow-update { 192.168.22.0/24; };
>};
>
>zone "_udp.hq.arkonnetworks.com" {
>   type master;
>   file "db._udp.hq.arkonnetworks.com";
>   allow-update { 192.168.22.0/24; };
>};

The "allow update" statement requires an address-match-list, not an
rndc key.

What are you trying to get AD to register?  The SRV and CNAME records
in the four/six "_" zones?  How have you set up these MS zones?  If
you have used AD-integrated with secure updates, then the MS security
model is not iplemented in BIND, so the DDNS updates will fail.
If you are using non-secure updates, then this should work.

If you are trying to get individual W2k/W2k+3 machines to register
themselves via DHCP, then I am not sure what the problem might be.
Are you having the DHCP server register both forwards and reverses?
If so, are both registrations failing? I am not a DHCP expert, and I
suggest finding a newsgroup for your DHCP software.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list