dynamic update reverse zone?

Alexandre Paradis alexandre at optiksecurite.com
Fri Feb 15 15:10:21 UTC 2008 

Kevin Darcy wrote:
> Alexandre Paradis wrote:
>   
>> Konigs Carl wrote:
>>   
>>     
>>> Verify write permission of "/etc/namedb/dynamic/revlan.bureau.own"
>>> Try nsupdate on your reverse zone, does it work?
>>>
>>> -----Original Message-----
>>> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>>> Behalf Of Alexandre Paradis
>>> Sent: 13 February 2008 20:40
>>> To: bind-users at isc.org
>>> Subject: dynamic update reverse zone?
>>>
>>> Hi, i have some problems with my dynamic update between the DHCP and 
>>> DNS.  I'm able to update my "normal" zone, but the reverse zone won't 
>>> update.
>>>
>>> here's my dhcpd.conf
>>>
>>>
>>> # dhcpd.conf
>>>
>>> ddns-hostname = pick (option fqdn.hostname, option host-name, concat
>>> ("dhcp-", binary-to-ascii (10, 8, "-", leased-address)));
>>> option host-name = config-option server.ddns-hostname;
>>>
>>> option domain-name "bureau.own";
>>> option domain-name-servers 69.69.68.1;
>>> default-lease-time 600;
>>> max-lease-time 7200;
>>> authoritative;
>>> #ping-check false;
>>> #DDNS
>>> ddns-updates on;
>>> ddns-update-style interim;
>>> ddns-domainname "bureau.own";
>>> #ignore client-updates;
>>> ddns-ttl 120;
>>> ddns-rev-domainname "in-addr.arpa";
>>> allow client-updates;
>>>
>>> subnet 69.69.68.0 netmask 255.255.255.0 {
>>>      range 69.69.68.100 69.69.68.145;
>>>      option routers 69.69.68.1;
>>>      option broadcast-address 69.69.68.255;
>>>      }
>>>
>>> key marjo {
>>>      algorithm HMAC-MD5;
>>>      secret <mykey>;
>>>      }
>>>
>>> zone bureau.own. {
>>>      primary 69.69.68.1;
>>>      key marjo;
>>>      }
>>>
>>> zone 68.69.69.in-addr-arpa. {
>>>      primary 69.69.68.1;
>>>      key marjo;
>>>      }
>>>
>>>
>>>
>>>
>>>
>>>
>>> This is my named.conf
>>>
>>>
>>> key marjo {
>>>       algorithm HMAC-MD5;
>>>       secret "<mykey>";
>>>       };
>>>
>>> #ACL pour les differentes interfaces
>>> acl lan { 69.69.68.0/24; 127.0.0.1; };
>>> # acl dmz { 1.2.3.4/24; };
>>>
>>> options {
>>>         // Relative to the chroot directory, if any
>>>         directory       "/etc/namedb";
>>>         pid-file        "/var/run/named/pid";
>>>         dump-file       "/var/dump/named_dump.db";
>>>         statistics-file "/var/stats/named.stats";
>>>         version         "haha oh wow!";
>>>         recursion       yes;
>>>         allow-recursion {69.69.68.0/24; 127.0.0.1; };
>>>         listen-on       { 127.0.0.1; 69.69.68.1; };
>>>         allow-query { lan; };
>>>         forwarders {69.69.69.1; };
>>>         };
>>> controls {
>>>         inet 127.0.0.1 port 953
>>>         allow  { 127.0.0.1; 69.69.68.1; } keys { "marjo";};
>>>         };
>>>
>>> view lan {
>>>
>>> zone "." {
>>>       type hint;
>>>       file "named.root";
>>>       };
>>>
>>> match-clients {lan; };
>>>
>>> zone "bureau.own"{
>>>       type master;
>>>       notify no;
>>>       file "/etc/namedb/dynamic/lan.bureau.own";
>>>       //allow-transfer {127.0.0.1; };
>>>       allow-update { key marjo; };
>>>       };
>>>
>>> zone "68.69.69.in-addr.arpa" {
>>>       type master;
>>>       notify no;
>>>       file "/etc/namedb/dynamic/revlan.bureau.own";
>>>       //allow-transfer {127.0.0.1; };
>>>       allow-update { key marjo; };
>>>       };
>>>
>>> };
>>>
>>>
>>> i tried with dhclient.conf on the client side with
>>>
>>> interface "xl0" {
>>> send host-name "alexBSD";
>>> }
>>>
>>> it changed nothing.
>>>
>>> any idea?
>>>
>>>
>>>
>>>
>>>
>>> ***************************************************************
>>> Your E-mail has been scanned against Potential Virus and
>>> Spyware/Grayware
>>> dangers by the MOD BE SECURITY SYSTEMS.
>>>
>>> This e-mail and any attachments may contain confidential and
>>> privileged information. If you are not the intended recipient,
>>> please notify the sender immediately by return e-mail,
>>> delete this e-mail and destroy any copies.
>>> Any dissemination or use of this information by a person other
>>> than the intended recipient is unauthorized and may be illegal.
>>>
>>>
>>>
>>>   
>>>     
>>>       
>> no, it didn't work. i've checked my permission, and they are ok now
>> also, there is no .jnl file for my reverse zone
>>   
>>     
> You say the nsupdate didn't work. Were you using the "marjo" TSIG key? 
> What kind of failure did you get (NOTAUTH, REFUSED, BADKEY, something 
> else)? You need to provide more detail on each troubleshooting step if 
> you want a speedy resolution to this problem.
>
> Also, is there anything in the log about problems with the reverse zone 
> when you start or reload named?
>
> - Kevin
>
>
>   
when i try to do a manual update with nsupdate, the error is "BADKEY" 
but i looked again and again all my key, and everything seems to be ok

now i have this error in my log :

Feb 15 10:06:33 marjo dhcpd: icmp_echorequest 69.69.68.140: Operation 
not permitted
Feb 15 10:06:36 marjo named[71266]: client 69.69.68.1#52856: update 
'68.69.69.in-addr.arpa/IN' denied
Feb 15 10:06:36 marjo dhcpd: unable to add reverse map from 
140.68.69.69.in-addr.arpa to alexBSD.bureau.own: timed out

i took the public key instead of the private key in the dhcp and bind conf

More information about the bind-users mailing list