BIND, DHCP & Dynamic DNS Updates
Aniruddha Shankar
karim at sarai.net
Wed Jun 22 11:30:09 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am posting to both bind-users and dhcp-server since this appears to be a
problem that concerns both DHCP and BIND.
I'm trying to get Dynamic DNS Updates working with BIND 9.2.5 and DHCP
3.0.1 .
My non-publicly-routable internal domain name is rnd.cbm .
gateway (gateway.rnd.cbm) is a DNS/DHCP/iptables box and has the IP
address 192.168.0.51 .
bhim (bhim.rnd.cbm) is an LTSP server and has the IP address
192.168.0.254 .
korma (korma.rnd.cbm) is a machine that gets a DHCP lease from gateway.
Forward and reverse name resolution works fine and dhcp leases are duly
granted to clients requesting them, so I know that the basic dhcp / dns
functionality is working. Dynamic DNS Updates do not work, however and I
get logs like this :
Jun 21 17:00:48 gateway dhcpd: Unable to add forward map from
korma.rnd.cbm to 192.168.0.217: timed out
Jun 21 17:00:48 gateway dhcpd: Wrote 24 leases to leases file.
Jun 21 17:00:48 gateway dhcpd: DHCPREQUEST for 192.168.0.217 from
00:0c:6e:6d:fa:6d (korma) via eth1
Jun 21 17:00:48 gateway dhcpd: DHCPACK on 192.168.0.217 to
00:0c:6e:6d:fa:6d (korma) via eth1
Jun 21 17:00:51 gateway dhcpd: Unable to add forward map from
korma.rnd.cbm to 192.168.0.217: timed out
Jun 21 17:00:51 gateway dhcpd: DHCPREQUEST for 192.168.0.217 from
00:0c:6e:6d:fa:6d (korma) via eth1
Jun 21 17:00:51 gateway dhcpd: DHCPACK on 192.168.0.217 to
00:0c:6e:6d:fa:6d (korma) via eth1
dhcpd runs normally, outside a chroot .
named runs in a chroot , namely /chroot/dns/ .
All config files referred to are on gateway, unless otherwise noted.
Mark Andrews in his mail of on 21 Jun 2005 22:54:47 +0000 (UTC)
said that "The requests go the address associated with the MNAME in the
SOA record." AFAICS the only thing associated with the SOA record in my
zone file is the gateway.
Anyone have any suggestions as to what I should do now ?
Thanks,
Aniruddha "Karim" Shankar
Here's /etc/dhcpd.conf
- -------------START dhcpd.conf---------------------------
authoritative;
default-lease-time 21600;
max-lease-time 21600;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "rnd.cbm";
ddns-rev-domainname "in-addr.arpa";
ignore client-updates;
key rnd.cbm {
algorithm hmac-md5;
secret "U97GaENxBFQin9tdS/SI5Q==";
};
allow booting;
allow bootp;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.51;
option domain-name-servers 192.168.0.51;
option log-servers 192.168.0.254;
option domain-name "rnd.cbm";
## LTSP Path Options
option root-path "192.168.0.254:/opt/ltsp-4.1/i386";
filename "192.168.0.254:/lts/vmlinuz-2.4.26-ltsp-2";
shared-network WORKSTATIONS {
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.250;
next-server 192.168.0.254;
filename "/pxe/pxelinux.0";
}
}
- ---------------END dhcpd.conf-------------------------
Here's /chroot/dns/etc/bind/named.conf
- ----------------START named.conf------------------------
acl internal { 192.168.0.0/24; };
key rnd.cbm {
algorithm hmac-md5;
secret "U97GaENxBFQin9tdS/SI5Q==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; 192.168.0.51; } keys { "rnd.cbm";
};
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
recursion yes;
version "defigo per occultus";
allow-query {"internal";};
};
logging {
channel update_debug {
file "/var/log/update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
};
zone "rnd.cbm" in {
allow-update {key rnd.cbm; };
type master;
file "pri/db.rnd";
};
zone "0.168.192.in-addr.arpa" in {
type master;
file "pri/db.192.168.0";
allow-update {key rnd.cbm; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "pri/db.127.0.0";
};
zone "." in {
type hint;
file "pri/db.cache";
};
- ----------------END named.conf------------------------
here's /chroot/dns/var/bind/pri/db.rnd:
- ----------------START db.rnd------------------------
$TTL 3h
@ IN SOA gateway.rnd.cbm. karim.sarai.net. (
1 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching of TTL of 1 day
IN NS gateway.rnd.cbm.
IN NS bhim.rnd.cbm.
;
; Host addresses
;
localhost IN A 127.0.0.1
bhim IN A 192.168.0.254
dwaar IN A 192.168.0.177
gateway IN A 192.168.0.51
bheem IN CNAME bhim
- ----------------END db.rnd------------------------
here's /chroot/dns/var/bind/pri/db.192.168.0:
- ----------------START db.192.168.0------------------------
$TTL 3h
@ IN SOA gateway.rnd.cbm. karim.sarai.net. (
1 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching of TTL of 1 day
IN NS gateway.rnd.cbm.
IN NS bhim.rnd.cbm.
254 IN PTR bhim.rnd.cbm.
177 IN PTR dwaar.rnd.cbm.
51 IN PTR gateway.rnd.cbm.
- ----------------END db.192.168.0------------------------
As you've noticed, I'm using TSIG keys (not for any particular reasons
of security, it's just the way that most documents were written).
here's /chroot/dns/etc/bind/rndc.conf:
- ----------------START rndc.conf------------------------
key rnd.cbm {
algorithm hmac-md5;
secret "U97GaENxBFQin9tdS/SI5Q==";
};
options {
default-key rnd.cbm;
default-server 127.0.0.1;
default-port 953;
};
- ----------------END rndc.conf---------------------------
here's /chroot/dns/etc/bind/rndc.key:
- ----------------START rndc.key------------------------
key "rnd.cbm" {
algorithm hmac-md5;
secret "U97GaENxBFQin9tdS/SI5Q==";
};
- ----------------END rndc.key------------------------
For good measure, I've placed identical files in /etc:
gateway bind # md5sum /etc/bind/rndc.*
805018daa4e27911e58cae93360ba58c /etc/bind/rndc.conf
dc960a0810a017d9ef082d5b7e2e7cd7 /etc/bind/rndc.key
gateway bind # md5sum /chroot/dns/etc/bind/rndc.*
805018daa4e27911e58cae93360ba58c /chroot/dns/etc/bind/rndc.conf
dc960a0810a017d9ef082d5b7e2e7cd7 /chroot/dns/etc/bind/rndc.key
Here's /etc/resolv.conf:
- ----------------START resolv.conf------------------------
domain rnd.cbm
nameserver 203.145.184.13
nameserver 202.56.215.6
- ----------------END resolv.conf--------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCuUvBhJkrd6A3rSsRAkoHAJ4y1EyRrEvPeZa3Y2mTShbfOGen4wCfcoq5
6gQsvUPs6WQTbZYNKGTlpJc=
=I5IS
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list