dynamic update reverse zone?

Fri Feb 15 18:06:15 UTC 2008

Alexandre Paradis wrote:
> Kevin Darcy wrote:
>> Alexandre Paradis wrote:
>>> Konigs Carl wrote:
>>>> Verify write permission of "/etc/namedb/dynamic/revlan.bureau.own"
>>>> Try nsupdate on your reverse zone, does it work?
>>>>
>>>> -----Original Message-----
>>>> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>>>> Behalf Of Alexandre Paradis
>>>> Sent: 13 February 2008 20:40
>>>> To: bind-users at isc.org
>>>> Subject: dynamic update reverse zone?
>>>>
>>>> Hi, i have some problems with my dynamic update between the DHCP 
>>>> and DNS. I'm able to update my "normal" zone, but the reverse zone 
>>>> won't update.
>>>>
>>>> here's my dhcpd.conf
>>>>
>>>>
>>>> # dhcpd.conf
>>>>
>>>> ddns-hostname = pick (option fqdn.hostname, option host-name, concat
>>>> ("dhcp-", binary-to-ascii (10, 8, "-", leased-address)));
>>>> option host-name = config-option server.ddns-hostname;
>>>>
>>>> option domain-name "bureau.own";
>>>> option domain-name-servers 69.69.68.1;
>>>> default-lease-time 600;
>>>> max-lease-time 7200;
>>>> authoritative;
>>>> #ping-check false;
>>>> #DDNS
>>>> ddns-updates on;
>>>> ddns-update-style interim;
>>>> ddns-domainname "bureau.own";
>>>> #ignore client-updates;
>>>> ddns-ttl 120;
>>>> ddns-rev-domainname "in-addr.arpa";
>>>> allow client-updates;
>>>>
>>>> subnet 69.69.68.0 netmask 255.255.255.0 {
>>>> range 69.69.68.100 69.69.68.145;
>>>> option routers 69.69.68.1;
>>>> option broadcast-address 69.69.68.255;
>>>> }
>>>>
>>>> key marjo {
>>>> algorithm HMAC-MD5;
>>>> secret <mykey>;
>>>> }
>>>>
>>>> zone bureau.own. {
>>>> primary 69.69.68.1;
>>>> key marjo;
>>>> }
>>>>
>>>> zone 68.69.69.in-addr-arpa. {
>>>> primary 69.69.68.1;
>>>> key marjo;
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This is my named.conf
>>>>
>>>>
>>>> key marjo {
>>>> algorithm HMAC-MD5;
>>>> secret "<mykey>";
>>>> };
>>>>
>>>> #ACL pour les differentes interfaces
>>>> acl lan { 69.69.68.0/24; 127.0.0.1; };
>>>> # acl dmz { 1.2.3.4/24; };
>>>>
>>>> options {
>>>> // Relative to the chroot directory, if any
>>>> directory "/etc/namedb";
>>>> pid-file "/var/run/named/pid";
>>>> dump-file "/var/dump/named_dump.db";
>>>> statistics-file "/var/stats/named.stats";
>>>> version "haha oh wow!";
>>>> recursion yes;
>>>> allow-recursion {69.69.68.0/24; 127.0.0.1; };
>>>> listen-on { 127.0.0.1; 69.69.68.1; };
>>>> allow-query { lan; };
>>>> forwarders {69.69.69.1; };
>>>> };
>>>> controls {
>>>> inet 127.0.0.1 port 953
>>>> allow { 127.0.0.1; 69.69.68.1; } keys { "marjo";};
>>>> };
>>>>
>>>> view lan {
>>>>
>>>> zone "." {
>>>> type hint;
>>>> file "named.root";
>>>> };
>>>>
>>>> match-clients {lan; };
>>>>
>>>> zone "bureau.own"{
>>>> type master;
>>>> notify no;
>>>> file "/etc/namedb/dynamic/lan.bureau.own";
>>>> //allow-transfer {127.0.0.1; };
>>>> allow-update { key marjo; };
>>>> };
>>>>
>>>> zone "68.69.69.in-addr.arpa" {
>>>> type master;
>>>> notify no;
>>>> file "/etc/namedb/dynamic/revlan.bureau.own";
>>>> //allow-transfer {127.0.0.1; };
>>>> allow-update { key marjo; };
>>>> };
>>>>
>>>> };
>>>>
>>>>
>>>> i tried with dhclient.conf on the client side with
>>>>
>>>> interface "xl0" {
>>>> send host-name "alexBSD";
>>>> }
>>>>
>>>> it changed nothing.
>>>>
>>>> any idea?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ***************************************************************
>>>> Your E-mail has been scanned against Potential Virus and
>>>> Spyware/Grayware
>>>> dangers by the MOD BE SECURITY SYSTEMS.
>>>>
>>>> This e-mail and any attachments may contain confidential and
>>>> privileged information. If you are not the intended recipient,
>>>> please notify the sender immediately by return e-mail,
>>>> delete this e-mail and destroy any copies.
>>>> Any dissemination or use of this information by a person other
>>>> than the intended recipient is unauthorized and may be illegal.
>>>>
>>>>
>>>>
>>> no, it didn't work. i've checked my permission, and they are ok now
>>> also, there is no .jnl file for my reverse zone
>> You say the nsupdate didn't work. Were you using the "marjo" TSIG 
>> key? What kind of failure did you get (NOTAUTH, REFUSED, BADKEY, 
>> something else)? You need to provide more detail on each 
>> troubleshooting step if you want a speedy resolution to this problem.
>>
>> Also, is there anything in the log about problems with the reverse 
>> zone when you start or reload named?
>>
>> - Kevin
>>
>>
> when i try to do a manual update with nsupdate, the error is "BADKEY" 
> but i looked again and again all my key, and everything seems to be ok
>
> now i have this error in my log :
>
> Feb 15 10:06:33 marjo dhcpd: icmp_echorequest 69.69.68.140: Operation 
> not permitted
> Feb 15 10:06:36 marjo named[71266]: client 69.69.68.1#52856: update 
> '68.69.69.in-addr.arpa/IN' denied
> Feb 15 10:06:36 marjo dhcpd: unable to add reverse map from 
> 140.68.69.69.in-addr.arpa to alexBSD.bureau.own: timed out
>
> i took the public key instead of the private key in the dhcp and bind 
> conf
TSIG uses shared-key crypto; there is no "public" and "private".

What is alexBSD.bureau.own? I'm assuming that's what's in the SOA.MNAME 
for 68.69.69.in-addr.arpa. Looks like your DHCP server can't talk to it.

- Kevin