DDNS Failed
Norman Zhang
norman.zhang at rd.arkonnetworks.com
Thu Nov 11 17:20:42 UTC 2004
Barry Finkel wrote:
>>I'm trying allow DDNS for a W2K3 machine to register AD.
>>
>>But I'm keep getting
>>
>>0x0000232A RCODE_SERVER_FAILURE
>>
>>I tried changing
>>
>>allow-update { 192.168.22.0/24; };
>>
>>but still fails. But all my Windows clients can do DDNS. DHCP is also on
>>the bind 9.2.3 box. May I ask what some tips please?
>
>>I've attached both my dhcpd.conf and named.conf below. My W2K3 box has
>>an IP 192.168.22.21. Any advice is greatly appreciated.
>>
>>
>># Server settings
>>authoritative;
>>ddns-update-style ad-hoc;
>>
>># Global settings
>>option domain-name "hq.arkonnetworks.com";
>>default-lease-time 21600;
>>max-lease-time 43200;
>>ddns-updates on;
>>ddns-domainname "hq.arkonnetworks.com";
>>ddns-rev-domainname "in-addr.arpa";
>>
>>key rndc-key {
>> algorithm hmac-md5;
>> secret "xxxx";
>>}
>>
>>zone hq.arkonnetworks.com. {
>> primary 192.168.11.3;
>> key rndc-key;
>>}
>>
>># LAN1 IP Range
>>subnet 192.168.11.0 netmask 255.255.255.0 {
>> option domain-name-servers 192.168.11.3, 192.168.11.15,
>>207.34.136.1,
>>204.174.64.1;
>> option ntp-servers 192.168.11.3;
>> option routers 192.168.11.1;
>> range 192.168.11.41 192.168.11.254;
>> zone 11.168.192.in-addr.arpa. {
>> primary 192.168.11.3;
>> key rndc-key;
>> }
>>}
>>
>># LAN2 IP Range
>>subnet 192.168.22.0 netmask 255.255.255.0 {
>> option domain-name-servers 192.168.22.3, 192.168.22.15,
>>207.34.136.1,
>>204.174.64.1;
>> option ntp-servers 192.168.22.3;
>> option routers 192.168.22.1;
>> range 192.168.22.41 192.168.22.254;
>> zone 22.168.192.in-addr.arpa. {
>> primary 192.168.22.3;
>> key rndc-key;
>> }
>>}
>>
>>// generated by named-bootconf.pl
>>
>>options {
>> directory "/var/named";
>> forwarders { 207.34.136.1; 204.174.64.1; 204.174.65.1; };
>> pid-file "/var/run/named/named.pid";
>> /*
>> * If there is a firewall between you and nameservers you want
>> * to talk to, you might need to uncomment the query-source
>> * directive below. Previous versions of BIND always asked
>> * questions using port 53, but BIND 8.1 uses an unprivileged
>> * port by default.
>> */
>> // query-source address * port 53;
>>};
>>
>>
>>// secret must be the same as in /etc/rndc.conf
>>key "rndc-key" {
>> algorithm hmac-md5;
>> secret "xxxx";
>>};
>>
>>controls {
>> inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
>>};
>>
>>//
>>// a caching only nameserver config
>>//
>>zone "." {
>> type hint;
>> file "db.cache";
>>};
>>
>>zone "0.0.127.in-addr.arpa" {
>> type master;
>> file "db.127.0.0";
>>};
>>
>>zone "hq.arkonnetworks.com" {
>> type master;
>> file "db.hq.arkonnetworks.com";
>> allow-update { key rndc-key; };
>>};
>>
>>zone "arkonnetworks.com" {
>> type slave;
>> file "db.arkonnetworks.com";
>> masters { 207.34.136.1; };
>>};
>>
>>zone "0-31.136.34.207.in-addr.arpa" {
>> type slave;
>> file "db.207.34.136.0";
>> masters { 207.34.136.1; };
>>};
>>
>>zone "22.168.192.in-addr.arpa" {
>> type master;
>> file "db.192.168.22.0";
>> allow-update { key rndc-key; };
>>};
>>
>>zone "11.168.192.in-addr.arpa" {
>> type master;
>> file "db.192.168.11.0";
>> allow-update { key rndc-key; };
>>};
>>
>>zone "_msdcs.hq.arkonnetworks.com" {
>> type master;
>> file "db._msdcs.hq.arkonnetworks.com";
>> allow-update { 192.168.22.0/24; };
>>};
>>
>>zone "_sites.hq.arkonnetworks.com" {
>> type master;
>> file "db._sites.hq.arkonnetworks.com";
>> allow-update { 192.168.22.0/24; };
>>};
>>
>>zone "_tcp.hq.arkonnetworks.com" {
>> type master;
>> file "db._tcp.hq.arkonnetworks.com";
>> allow-update { 192.168.22.0/24; };
>>};
>>
>>zone "_udp.hq.arkonnetworks.com" {
>> type master;
>> file "db._udp.hq.arkonnetworks.com";
>> allow-update { 192.168.22.0/24; };
>>};
>
> The "allow update" statement requires an address-match-list, not an
> rndc key.
Thanks for your reply. The rndc key works fine. I think it has been
discussed here before, but I can't recall why. I've just added _msdcs,
_sites, _tcp, _udp zones to the already running named.conf. I tried
converting them to 192.168.22.0/24, but still couldn't update.
> What are you trying to get AD to register? The SRV and CNAME records
> in the four/six "_" zones? How have you set up these MS zones? If
> you have used AD-integrated with secure updates, then the MS security
> model is not iplemented in BIND, so the DDNS updates will fail.
> If you are using non-secure updates, then this should work.
The zone files are created and placed under /var/named/ with
uid.gid=named.named. This is W2K3 box just got upgraded from NT is
trying to become a DC by registering AD entries in BIND. I don't think
it uses any secure updates. How do I check? I grep the log under
/var/log/, but couldn't find the denied activity. Is there a speific
entry that I should grep for?
> If you are trying to get individual W2k/W2k+3 machines to register
> themselves via DHCP, then I am not sure what the problem might be.
> Are you having the DHCP server register both forwards and reverses?
> If so, are both registrations failing? I am not a DHCP expert, and I
> suggest finding a newsgroup for your DHCP software.
My W2K3 has a static IP and it has already been entered in zone files. I
would like to enable it to update the SRV and CNAME entries in the "_"
zone files. DHCP so far has no problem registering PTR and A records for
IPs that it gives out. Do you see any conflicts with my config above?
Regards,
Norman Zhang
More information about the bind-users
mailing list