Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Jim Bucks jbucks at coloradostudios.com
Thu Mar 28 17:18:20 UTC 2013


Hi Mark, Graham, & others.

I've spent the last day trying all sorts of things to get this working (to
no avail).  I'm still at the stage of DHCP offering the lease IP address,
but the DNS is not automatically updating the two "zones" files with the
newly leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into /var/named/chroot/var/named/slaves/
(was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the bare minimum
config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director
Colorado Studios <http://www.coloradostudios.com>, Mobile TV
Group<http://www.mobiletvgroup.com>,
HDNet <http://www.hd.net>, AXS.tv <http://www.axs.tv/>
8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbucks at coloradostudios.com            Direct 303-542-5520
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130328/98133703/attachment.html>
-------------- next part --------------
DDNS_DHCP_Problem20130327.txt


Centos 64 bit ver 6.4
dhcpd         ver 4.1.1-P1
bind          var BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3

All the above are on one server.





Here is what I'm still seeing when grabbing a DHCP lease from this server.  
I do get a lease, but the DDNS is not updating the "zones" files.
=======================================================================================
Mar 27 15:38:29 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 27 15:38:29 dns04 dhcpd: Unable to add forward map from dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
Mar 27 15:38:29 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 27 15:38:29 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49 (proccilapxp) via eth1






Here are all my configuration & logfiles.  They are 99% the same as my "real" files.  
The only change was to replace the "secret" string.  Syntactically, there are no changes.


File Permissions & Ownerships
=================================================================
ll /var/named/chroot/var/named/
total 28
drwxrwx---  2 named named 4096 Mar 28 08:01 data
drwxrwx---. 2 named named 4096 Feb 15 09:21 external
drwxrwx---. 3 named named 4096 Mar 28 09:40 internal
-rw-r-----  1 root  named  152 Dec 15  2009 named.empty
-rw-r-----  1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----  1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---  2 named named 4096 Mar 28 10:37 slaves


ll /var/named/chroot/var/named/slaves/
-rw-rw-rw-  1 named named  386 Mar 26 10:55 db.172.10.20
-rw-rw-rw-  1 named named  525 Mar 26 11:41 db.dhcp.coloradostudios.com


ll /var/lib/dhcpd/dhcpd.leases
-rw-r--r-- 1 root root 1511 Mar 27 13:18 /var/lib/dhcpd/dhcpd.leases

ll /etc/dhcp/dhcpd.conf
-rw-r--r-- 1 root root 2010 Mar 27 12:45 /etc/dhcp/dhcpd.conf

ll /var/named/chroot/etc/named.conf
-rw-r----- 1 named named 6341 Mar 27 12:54 /var/named/chroot/etc/named.conf


Based on and internet search. I have added the "named" group into the dhcpd user
usermod -G dhcpd,named dhcpd



cat /etc/sysconfig/named
==============================================================
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/var/named/chroot"  --  will run named in a chroot environment.
#                            you must set up the chroot environment 
#                            (install the bind-chroot package) before
#                            doing this.
#	NOTE:
#         Those directories are automatically mounted to chroot if they are
#         empty in the ROOTDIR directory. It will simplify maintenance of your
#         chroot environment.
#          - /var/named
#          - /etc/pki/dnssec-keys
#          - /etc/named
#          - /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#
#	  Those files are mounted as well if target file doesn't exist in
#	  chroot.
#          - /etc/named.conf
#          - /etc/rndc.conf
#          - /etc/rndc.key
#          - /etc/named.rfc1912.zones
#          - /etc/named.dnssec.keys
#	   - /etc/named.iscdlv.key
#
#	Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
#	line to your /etc/rsyslog.conf file. Otherwise your logging becomes
#	broken when rsyslogd daemon is restarted (due update, for example).
#
# OPTIONS="whatever"     --  These additional options will be passed to named
#                            at startup. Don't add -t here, use ROOTDIR instead.
#
# KEYTAB_FILE="/dir/file"    --  Specify named service keytab file (for GSS-TSIG)
#
# DISABLE_ZONE_CHECKING  -- By default, initscript calls named-checkzone
#			    utility for every zone to ensure all zones are
#			    valid before named starts. If you set this option
#			    to 'yes' then initscript doesn't perform those
#			    checks.
ROOTDIR=/var/named/chroot
# Tried adding this based on google searches.  Did not help.
ENABLE_ZONE_WRITE=yes


cat /etc/dhcp/dhcpd.conf
==============================================================
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#
# Sept 19, 2012      jbucks
#  /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout
#
#
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".>
INTERFACES="eth1"; 

deny client-updates;              # Tells the server to deny any requests that clients may send to update their own information.

authoritative;                    # Sets the server authoritative for my network
ddns-update-style interim;        # Activates Dynamic DNS
max-lease-time 604800;            # 604800 is a week
default-lease-time 86400;         # 86400 is a day

# Use this command line to generate the key.  Only need the key string (from the .private file) inside these files.
#       dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER 
# 
#  It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.
key DHCP_UPDATER {                       # This line specifies the key name
    algorithm HMAC-MD5;                  # This line specifies the encryption algorithm best to stick with HMAC-MD5
    secret x99yzTXeeeeeOPQLKsd==;     # Finally the key statement itself
};


# These zones statements are part of the dynamic dns (named) as they link back into the bind (named) zones
zone dhcp.coloradostudios.com. {
   primary 127.0.0.1;
   key DHCP_UPDATER;
}

zone 20.10.172.in-addr.arpa. {
   primary 127.0.0.1;
   key DHCP_UPDATER;
}

subnet 172.10.0.0 netmask 255.255.0.0 {
   option broadcast-address 172.10.255.255;
   option domain-name       "coloradostudios.com";
   option routers           172.10.5.1;
   ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8, "-", leased-address));
   option time-offset       -7;     # Mountain Standard Time
   range                    172.10.20.101 172.10.21.254;
}



cat /var/named/chroot/etc/named.conf
==================================================================
/*
 Sample named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.

 See the BIND Administrator's Reference Manual (ARM) for details, in:
   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
 Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
 its manual.
*/

acl stapleton_hosts {
    127.0.0.1;
    172.10.0.0/16;
};

options
{
	// Put files that named is allowed to write in the data/ directory:
	directory 		"/var/named";		// "Working" directory
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";
        zone-statistics         yes;


	/*
	  Specify listenning interfaces. You can use list of addresses (';' is
	  delimiter) or keywords "any"/"none"
	*/
	//listen-on port 53	{ any; };
	listen-on port 53	{ 127.0.0.1; 172.10.0.0; };

	//listen-on-v6 port 53	{ any; };
	//listen-on-v6 port 53	{ ::1; };

	/*
	  Access restrictions

	  There are two important options:
	    allow-query { argument; };
	      - allow queries for authoritative data

	    allow-query-cache { argument; };
	      - allow queries for non-authoritative data (mostly cached data)

	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
	  Examples:
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
	*/

	allow-query		{ stapleton_hosts; };
	allow-query-cache	{ stapleton_hosts; };

	// Enable/disable recursion - recursion yes/no;
	recursion yes;

	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

	/* Enable serving of DNSSEC related data - enable on both authoritative
 	   and recursive servers DNSSEC aware servers */
	//dnssec-enable yes;

	/* Enable DNSSEC validation on recursive servers */
	//dnssec-validation yes;

	/* Enable DLV by default, use built-in ISC DLV key. */
	//dnssec-lookaside auto;

        version "Secret";

};

# Use this command line to generate the key.  Only need the key string (from the .private file) inside these files.
#      dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER 
#
# It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.
key DHCP_UPDATER {                       # This line specifies the key name
    algorithm HMAC-MD5;                  # This line specifies the encryption algorithm best to stick with HMAC-MD5
    secret "TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==";     # Finally, the key statement itself
};


logging 
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };	
};

/*
 Views let a name server answer a DNS query differently depending on who is asking.

 By default, if named.conf contains no "view" clauses, all zones are in the 
 "default" view, which matches all clients.

 Views are processed sequentially. The first match is used so the last view should
 match "any" - it's fallback and the most restricted view.

 If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

//view "localhost_resolver"
//{
///* This view sets up named to be a localhost resolver ( caching only nameserver ).
// * If all you want is a caching-only nameserver, then you need only define this view:
// */
//	match-clients 		{ localhost; };
//	recursion yes;
//
//	# all views must contain the root hints zone:
//	zone "." IN {
//	        type hint;
//	        file "/var/named/named.ca";
//	};
//
//       /* these are zones that contain definitions for all the localhost
//         * names and addresses, as recommended in RFC1912 - these names should
//	 * not leak to the other nameservers:
//	 */
//	include "/etc/named.rfc1912.zones";
//};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
	match-clients		{ stapleton_hosts; };
	recursion yes;

        disable-empty-zone ".";

        allow-update            { stapleton_hosts; };

	zone "." IN {
	        type hint;
	        file "internal/root.hints";
	};

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
	 * not leak to the other nameservers:
	 */
	include "internal/named.rfc1912.zones";
 
	// These are your "authoritative" internal zones, and would probably
	// also be included in the "localhost_resolver" view above :

	/*
	  NOTE for dynamic DNS zones and secondary zones:

	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!

	  If you are using views and DDNS/secondary zones it is strongly
	  recommended to read FAQ on ISC site (www.isc.org), section
	  "Configuration and Setup Questions", questions
	  "How do I share a dynamic zone between multiple views?" and
	  "How can I make a server a slave for both an internal and an external
	   view at the same time?"
	*/

       /*
         Based on research, need to put DDNS "zones" files into the /var/named/chroot/data/ directory.
         Named has a "bug" that prevents them from being updated in the usual place /var/named/chroot/var/named/internal/
       */
	zone "dhcp.coloradostudios.com" {
		type master;
		allow-update { key DHCP_UPDATER; };
		file "slaves/db.dhcp.coloradostudios.com";
                notify yes;
		// put dynamically updateable zones in the slaves/ directory so named can update them
	};

        zone "20.10.172.in-addr.arpa" {
                type master;
                allow-update { key DHCP_UPDATER; };
                file "slaves/db.172.10.20";
                notify yes;
        };
};





DNS "Zones" files.
==================================================================
cat /var/named/chroot/var/named/slaves/db.dhcp.coloradostudios.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$TTL    1d
dhcp.coloradostudios.com. IN SOA dns04.coloradostudios.com. sysmgr.axs.tv. (
                2013032602 ;Serial   use this format yyyymmddvv where vv is that days version number
                10800   ;Refresh after 3 hours
                3600    ;Retry after 1 hour
                604800  ;Expire after 1 week
                86400 ) ;Min TTL of 1 day

;
; This is for the Internal Stapleton machines for Colorado Studios
;

;
; Name Servers
;
dhcp.coloradostudios.com.    IN NS   dns04.coloradostudios.com.




cat /var/named/chroot/var/named/slaves/db.172.10.20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$TTL    1d
20.10.172.in-addr.arpa. IN SOA dns04.coloradostudios.com. sysmgr.hd.net. (
                2013032600 ; Serial
                10800   ;Refresh after 3 hours
                3600    ;Retry after 1 hour
                604800  ;Expire after 1 week
                86400 ) ;Min TTL of 1 day

; Name Servers

20.10.172.in-addr.arpa.    IN NS   dns04.den.coloradostudios.com.
	



cat /var/lib/dhcpd/dhcpd.leases
==================================================================
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.1.1-P1

lease 172.10.20.101 {
  starts 3 2013/03/27 18:59:46;
  ends 4 2013/03/28 18:59:46;
  tstp 4 2013/03/28 18:59:46;
  cltt 3 2013/03/27 18:59:46;
  binding state active;
  next binding state free;
  hardware ethernet 00:0b:cd:33:b6:49;
  uid "\001\000\013\3153\266I";
  client-hostname "proccilapxp";
}
server-duid "\000\001\000\001\030\333@\376\\\363\374'\005U";

lease 172.10.20.101 {
  starts 3 2013/03/27 18:59:46;
  ends 3 2013/03/27 19:13:56;
  tstp 3 2013/03/27 19:13:56;
  cltt 3 2013/03/27 18:59:46;
  binding state free;
  hardware ethernet 00:0b:cd:33:b6:49;
  uid "\001\000\013\3153\266I";
}
lease 172.10.20.101 {
  starts 3 2013/03/27 19:13:59;
  ends 4 2013/03/28 19:13:59;
  cltt 3 2013/03/27 19:13:59;
  binding state active;
  next binding state free;
  hardware ethernet 00:0b:cd:33:b6:49;
  uid "\001\000\013\3153\266I";
  client-hostname "proccilapxp";
}
lease 172.10.20.101 {
  starts 3 2013/03/27 19:13:59;
  ends 3 2013/03/27 19:18:20;
  tstp 3 2013/03/27 19:18:20;
  cltt 3 2013/03/27 19:13:59;
  binding state free;
  hardware ethernet 00:0b:cd:33:b6:49;
  uid "\001\000\013\3153\266I";
}
lease 172.10.20.101 {
  starts 3 2013/03/27 19:18:24;
  ends 4 2013/03/28 19:18:24;
  cltt 3 2013/03/27 19:18:24;
  binding state active;
  next binding state free;
  hardware ethernet 00:0b:cd:33:b6:49;
  uid "\001\000\013\3153\266I";
  client-hostname "proccilapxp";
}



More information about the bind-users mailing list