DDNS. Allow clients to update bind dns ??

Daniel Vaillant vaillant at ganil.fr
Tue Jan 10 00:18:18 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
seems to me that you r PB is that microsoft does not stick to TSIG (or
sig(0) authentication
as I "rapidly" saw a key in your conf. and read that the machines do
not update......

in my own conf, this his the DHCP server that DDNS update not each
machine.

A clue for you?

regards.


Kevin Darcy wrote:

| aries.ram at freenet.de wrote:
|
|> Hi,
|>
|> i have a strange problem with dhcp and bind in a ddns enviroment.
|> I am running a suse 9.1 server with dns and dhcp services. The
|> windows XP and 2000 clients should get their ip adresses from the
|> dhcp server and register their hostnames via dynamic update
|> function in the named server database. The clients get their ip
|> adresses but the dynamic update is not running flawless ? I get
|> the following syslogerrors:
|>
|>
|> Jan  8 19:03:16 gateway named[12349]: client 192.168.1.20#1069:
|> update 'apollo.lokal/IN' denied Jan  8 19:05:16 gateway
|> named[12349]: client 192.168.1.20#1069: update 'apollo.lokal/IN'
|> denied
|>
|> Here are my config files:
|>
|> /etc/dhcpd.conf # dhcpd.conf # # Sample configuration file for
|> ISC dhcpd # # option definitions common to all supported
|> networks...
|>
|> # if you do not use dynamical DNS updates: # # this statement is
|> needed by dhcpd-3 needs at least this statement. # you have to
|> delete it for dhcpd-2, because it does not know it. # # if you
|> want to use dynamical DNS updates, you should first read # read
|> /usr/share/doc/packages/dhcp-server/DDNS-howto.txt
|>
|> ddns-update-style interim; ignore client-updates; ddns-updates
|> on; ddns-domainname "apollo.lokal"; allow unknown-clients;
|> ddns-rev-domainname "1.168.192.in-addr.arpa";
|>
|> # If this DHCP server is the official DHCP server for the local #
|> network, the authoritative directive should be uncommented.
|>
|> authoritative ;
|>
|> # Use this to send dhcp log messages to a different log file (you
|> also # have to hack syslog.conf to complete the redirection).
|>
|> log-facility local7;
|>
|> # No service will be given on this subnet, but declaring it helps
|> the # DHCP server to understand the network topology. #subnet
|> 10.152.187.0 netmask 255.255.255.0 { #} # This is a very basic
|> subnet declaration.
|>
|> subnet 192.168.1.0 netmask 255.255.255.0 { option routers
|> 192.168.1.1; option nis-domain "apollo.lokal"; option domain-name
|> "apollo.lokal"; option domain-name-servers 192.168.1.1;
|> default-lease-time 43200; max-lease-time 86400; range
|> 192.168.1.110 192.168.1.150; } key apollo.lokal { algorithm
|> hmac-md5; secret 1234567890x==; }; zone apollo.lokal. { primary
|> 192.168.1.1; key apollo.lokal; } zone 1.168.192.in-addr.arpa. {
|> primary 192.168.1.1; key apollo.lokal; }
|>
|> # This declaration allows BOOTP clients to get dynamic addresses,
|>  # which we don't really recommend. #subnet 10.254.239.32 netmask
|> 255.255.255.224 { #  range dynamic-bootp 10.254.239.40
|> 10.254.239.60; #  option broadcast-address 10.254.239.31; #
|> option routers rtr-239-32-1.example.org; #} # Hosts which require
|> special configuration options can be listed in # host statements.
|> If no address is specified, the address will be # allocated
|> dynamically (if possible), but the host-specific information #
|> will still come from the host declaration. group { host duke {
|> hardware ethernet 00:08:8E:28:88:AB; fixed-address 192.168.1.30;
|> } host blade { hardware ethernet 00:12:5b:37:4b:2a; fixed-address
|> 192.168.1.20; } }
|>
|>
******************************************************************************************
|>
|>
|> /etc/named.conf
|>
|>
|> # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany. #
|> All rights reserved. # # Author: Frank Bodammer, Lars Mueller
|> <lmuelle at suse.de> # # /etc/named.conf # # This is a sample
|> configuration file for the name server BIND 9.  It works as # a
|> caching only name server without modification. # # A sample
|> configuration for setting up your own domain can be found in #
|> /usr/share/doc/packages/bind/sample-config. # # A description of
|> all available options can be found in #
|> /usr/share/doc/packages/bind/misc/options.
|>
|> acl internals { 192.168.1.0/24;};
|>
|> controls { inet 127.0.0.1 port 953 allow { localhost; internals;
|> } keys { apollo.lokal; } ; };
|>
|> options {
|>
|> # The directory statement defines the name server's working
|> directory
|>
|> directory "/var/lib/named";
|>
|> # Write dump and statistics file to the log subdirectory.  The #
|> pathenames are relative to the chroot jail.
|>
|> dump-file "/var/log/named_dump.db"; statistics-file
|> "/var/log/named.stats";
|>
|> # The forwarders record contains a list of servers to which
|> queries # should be forwarded.  Enable this line and modify the
|> IP address to # your provider's name server.  Up to three servers
|> may be listed. # Condor Nameserver : 194.120.164.22
|>
|> forwarders { 194.25.2.129; };
|>
|> # Enable the next entry to prefer usage of the name server
|> declared in # the forwarders section.
|>
|> #forward first; forward only;
|>
|> # The listen-on record contains a list of local network
|> interfaces to # listen on.  Optionally the port can be specified.
|> Default is to # listen on all interfaces found on your system.
|> The default port is # 53.
|>
|> listen-on port 53 { 192.168.1.1; 127.0.0.1; };
|>
|> # The listen-on-v6 record enables or disables listening on IPv6 #
|> interfaces.  Allowed values are 'any' and 'none' or a list of #
|> addresses.
|>
|> listen-on-v6 { none; };
|>
|> # The next three statements may be needed if a firewall stands
|> between # the local server and the internet.
|>
|> query-source address * port 53; # transfer-source * port 53; #
|> notify-source * port 53;
|>
|> # The allow-query record contains a list of networks or IP
|> addresses # to accept and deny queries from. The default is to
|> allow queries # from all hosts.
|>
|> allow-query { internals; };
|>
|> # If notify is set to yes (default), notify messages are sent to
|> other # name servers when the the zone data is changed.  Instead
|> of setting # a global 'notify' statement in the 'options'
|> section, a separate # 'notify' can be added to each zone
|> definition.
|>
|> notify no; };
|>
|> # To configure named's logging remove the leading '#' characters
|> of the # following examples. #logging { #       # Log queries to
|> a file limited to a size of 100 MB. #       channel query_logging
|> { #               file "/var/log/named_querylog" #
|> versions 3 size 100M; #               print-time yes;
|> // timestamp log entries #       }; #       category queries { #
|> query_logging; #       }; # #       # Or log this kind
|> alternatively to syslog. #       channel syslog_queries { #
|> syslog user; #               severity info; #       }; #
|> category queries { syslog_queries; }; # #       # Log general
|> name server errors to syslog. #       channel syslog_errors { #
|> syslog user; #               severity error; #       }; #
|> category default { syslog_errors;  }; # #       # Don't log lame
|> server messages. #       category lame-servers { null; }; #};
|>
|> # The following zone definitions don't need any modification.
|> The first one # is the definition of the root name servers.  The
|> second one defines # localhost while the third defines the
|> reverse lookup for localhost.
|>
|> key apollo.lokal { algorithm hmac-md5; secret 1234567890x==; };
|>
|> zone "." in { type hint; file "root.hint"; };
|>
|> zone "localhost" in { type master; file "localhost.zone"; };
|>
|> zone "0.0.127.in-addr.arpa" in { type master; file
|> "127.0.0.zone"; };
|>
|> # Include the meta include file generated by SuSEconfig.named.
|> This includes # all files as configured in
|> NAMED_CONF_INCLUDE_FILES from # /etc/sysconfig/named
|>
|> # include "/etc/named.conf.include";
|>
|> # You can insert further zone records for your own domains below
|> or create # single files in /etc/named.d/ and add the file names
|> to # NAMED_CONF_INCLUDE_FILES. # See
|> /usr/share/doc/packages/bind/README.SuSE for more details.
|>
|>
|> zone "apollo.lokal" IN { type master; file
|> "dyn/apollo.lokal.zone"; allow-update { key apollo.lokal; }; };
|> zone "1.168.192.in-addr.arpa" IN { type master; file
|> "dyn/1.168.192.in-addr.arpa.zone"; allow-update { key
|> apollo.lokal; }; };
|>
|>
|> Are the permissions ok ?
|>
|> drwxr-xr-x   9 named named 4096 Dec  7 00:12 . drwxr-xr-x  37
|> root  root  4096 Dec 10 19:40 .. -rw-r--r--   1 named named  192
|> Apr  6  2004 127.0.0.zone drwxr-xr-x   2 named named 4096 Jan  5
|> 18:41 dev drwxr-x---   2 named named 4096 Jan  8 18:20 dyn
|> drwxr-xr-x   3 named named 4096 Nov 28  1996 etc -rw-r--r--   1
|> named named  158 Apr  6  2004 localhost.zone drwxr-xr-x   2 named
|> named 4096 Apr  6  2004 log drwxr-xr-x   2 named named 4096 Nov
|> 2 16:23 master -rw-r--r--   1 named named 2517 Apr  6  2004
|> root.hint drwxr-xr-x   2 named named 4096 Apr  6  2004 slave
|> drwxr-xr-x   4 named named 4096 Dec  7 00:12 var
|> gateway:/var/lib/named #
|>
|> 4 drwxr-xr-x  9 named named 4096 Dec  7 00:12 .. 8 -rw-------  1
|> named named  771 Jan  8 18:20 1.168.192.in-addr.arpa.zone 8
|> -rw-r--r--  1 named named 1097 Jan  8 18:03
|> 1.168.192.in-addr.arpa.zone.jnl 8 -rw-------  1 named named  633
|> Jan  8 18:19 apollo.lokal.zone gateway:/var/lib/named/dyn #
|>
|> I don't know where the problem is ? How can I allow the windows
|> XP / 2000 clients to update their hostnames in the named database
|> ? I don't want to disable the automatic update function in the
|> windows XP/2000 network settings to prevent the update denied
|> logmessages !! This is only a workaround that doesn't fix the
|> problem. The allow-update with a security key should work, but it
|> doesn't ?? Did i misunderstood something ?
|>
| Is 192.168.1.20 the address of the DHCP server? It's not clear to
| me from a quick perusal what you posted above. The usual
| configuration in a mixed Wintel/BIND/dhcpd environment is for
| dhcpd, not the clients themselves, to register the client's names
| and addresses. This is because Windows clients can't secure their
| Dynamic Updates in a way that's compatible with BIND.
|
|
| - Kevin
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFDwv1JWjx+k/U6y0kRAn+QAJ9lepxInJKn5Aw/Q2PCoa3P0itciACfVT+J
+5tcKzJum5Gd0EwTpagT13o=
=KGeo
-----END PGP SIGNATURE-----




More information about the bind-users mailing list