Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.
Mark Elkins
mje at posix.co.za
Fri Mar 29 12:39:46 UTC 2013
Try using a more simple MD5, short key.
Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
There was also some sort of length bug? - try 128 bit length.
On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote:
> After working on this some more overnight.....
>
> I can add records interactively via nsupdate (as shown below). But,
> cannot get the same results from an ipconfig /release & /renew from a
> workstation. I am totally stumped at this point.
>
> Any ideas (and yes, I did do over the "semicomplete" URL provided
> by ?Alex?"). The only difference I can see is that I used a 512 bit
> key vs the examples 128bit key. And, I'm using a slaves/ directory vs
> internal/ directory for the "zones" files.
>
> Jim
>
>
> INTERACTIVE WORKS
> ------------------------------------
> [root at dns04 chroot]# nsupdate
> > server 127.0.0.1
> > key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B
> +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> > update add 101.20.10.172.in-addr.arpa. 3600 in ptr
> proccilap.dhcp.coloradostudios.com.
> >
> > update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
> >
> >
>
> [root at dns04 slaves]# ll
> total 24
> -rw-r--r-- 1 named named 400 Mar 28 15:08 db.172.10.20
> -rw-r--r-- 1 named named 792 Mar 29 05:54 db.172.10.20.jnl
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rwxrwx--- 1 named named 362 Mar 28 13:41 db.dhcp.coloradostudios.com
> -rw-r--r-- 1 named named 782 Mar 29 05:56
> db.dhcp.coloradostudios.com.jnl
> [root at dns04 slaves]#
>
>
>
> [root at dns04 chroot]# rndc freeze
> [root at dns04 chroot]# rndc thaw
>
>
> [root at dns04 slaves]# ll
> total 16
> -rw-r--r-- 1 named named 433 Mar 29 05:58 db.172.10.20
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rw-r--r-- 1 named named 381 Mar 29 05:58 db.dhcp.coloradostudios.com
> [root at dns04 slaves]#
>
>
> [root at dns04 slaves]# cat db.172.10.20
> $ORIGIN .
> $TTL 86400 ; 1 day
> 20.10.172.in-addr.arpa IN SOA dns04.coloradostudios.com.
> sysmgr.hd.net. (
> 2013032605 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS dns04.den.coloradostudios.com.
> $ORIGIN 20.10.172.in-addr.arpa.
> $TTL 3600 ; 1 hour
> 101 PTR proccilap.dhcp.coloradostudios.com.
>
>
> [root at dns04 slaves]# cat db.dhcp.coloradostudios.com
> $ORIGIN .
> $TTL 86400 ; 1 day
> dhcp.coloradostudios.com IN SOA dns04.coloradostudios.com.
> sysmgr.axs.tv. (
> 2013032804 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS dns04.coloradostudios.com.
> $ORIGIN dhcp.coloradostudios.com.
> proccilap A 171.10.20.101
> [root at dns04 slaves]#
>
>
> IPCONFIG /RELEASE & /RENEW DOES NOT WORK
> --------------------------------------------------------------------------------
> Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
> Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
> Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via
> eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
> dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
> Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
> (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
>
>
>
>
>
> On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks
> <jbucks at coloradostudios.com> wrote:
> Hi Jim,
>
> Shouldn't there be quotes around the key string in the
> named .conf file? I have quotes around mine in named.conf. I
> do not have quotes around the key string in the dhcpd.conf.
>
> If this is correct, I've made sure they match (I was trying to
> "genericize" the key string before), but not any longer.
>
> After making sure the key strings match, I'm still getting the
> error "unable to add forward map" when I do a release & renew
> from a windows laptop.
> Here are the current (and live) config files.
>
> named.conf
> =====================
> /*
> Sample named.conf BIND DNS server 'named' configuration file
> for the Red Hat BIND distribution.
>
> See the BIND Administrator's Reference Manual (ARM) for
> details, in:
> file:///usr/share/doc/bind-{
> version}/arm/Bv9ARM.html
> Also see the BIND Configuration
> GUI : /usr/bin/system-config-bind and
> its manual.
> */
>
> acl stapleton_hosts {
> 127.0.0.1;
> 172.10.0.0/16;
> };
>
> options
> {
> // Put files that named is allowed to write in the data/
> directory:
> directory "/var/named"; // "Working"
> directory
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> zone-statistics yes;
>
>
> /*
> Specify listenning interfaces. You can use list of
> addresses (';' is
> delimiter) or keywords "any"/"none"
> */
> //listen-on port 53 { any; };
> listen-on port 53 { 127.0.0.1; 172.10.0.0; };
>
> //listen-on-v6 port 53 { any; };
> //listen-on-v6 port 53 { ::1; };
>
> /*
> Access restrictions
>
> There are two important options:
> allow-query { argument; };
> - allow queries for authoritative data
>
> allow-query-cache { argument; };
> - allow queries for non-authoritative data (mostly
> cached data)
>
> You can use address, network address or keywords
> "any"/"localhost"/"none" as argument
> Examples:
> allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
> allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526;
> 10.0.0.1; };
> */
>
> allow-query { stapleton_hosts; };
> allow-query-cache { stapleton_hosts; };
>
> // Enable/disable recursion - recursion yes/no;
> recursion yes;
>
> /* DNSSEC related options. See information about keys
> ("Trusted keys", bellow) */
>
> /* Enable serving of DNSSEC related data - enable on both
> authoritative
> and recursive servers DNSSEC aware servers */
> //dnssec-enable yes;
>
> /* Enable DNSSEC validation on recursive servers */
> //dnssec-validation yes;
>
> /* Enable DLV by default, use built-in ISC DLV key. */
> //dnssec-lookaside auto;
>
> version "Secret";
>
> };
>
> # Use this command line to generate the key. Only need the
> key string (from the .private file) inside these files.
> # dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER
> #
> # It is very important to use the exact same keystring and
> name on both dhcpd.conf and named.conf for this to work.
> key DHCP_UPDATER { # This line specifies
> the key name
> algorithm HMAC-MD5; # This line specifies
> the encryption algorithm best to stick with HMAC-MD5
> secret "TrlaHSJXel+L5hqtfev5Gdlwj7B
> +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw=="; # Finally, the key statement itself
> };
>
>
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc
> trace' command,
> * named will try to write the 'named.run' file in the
> $directory (/var/named).
> * By default, SELinux policy does not allow named to
> modify the /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> /*
> Views let a name server answer a DNS query differently
> depending on who is asking.
>
> By default, if named.conf contains no "view" clauses, all
> zones are in the
> "default" view, which matches all clients.
>
> Views are processed sequentially. The first match is used so
> the last view should
> match "any" - it's fallback and the most restricted view.
>
> If named.conf contains any "view" clause, then all zones MUST
> be in a view.
> */
>
> //view "localhost_resolver"
> //{
> ///* This view sets up named to be a localhost resolver
> ( caching only nameserver ).
> // * If all you want is a caching-only nameserver, then you
> need only define this view:
> // */
> // match-clients { localhost; };
> // recursion yes;
> //
> // # all views must contain the root hints zone:
> // zone "." IN {
> // type hint;
> // file "/var/named/named.ca";
> // };
> //
> // /* these are zones that contain definitions for all
> the localhost
> // * names and addresses, as recommended in RFC1912 -
> these names should
> // * not leak to the other nameservers:
> // */
> // include "/etc/named.rfc1912.zones";
> //};
> view "internal"
> {
> /* This view will contain zones you want to serve only to
> "internal" clients
> that connect via your directly attached LAN interfaces -
> "localnets" .
> */
> match-clients { stapleton_hosts; };
> recursion yes;
>
> disable-empty-zone ".";
>
> allow-update { stapleton_hosts; };
>
> zone "." IN {
> type hint;
> file "internal/root.hints";
> };
>
> /* these are zones that contain definitions for all
> the localhost
> * names and addresses, as recommended in RFC1912 -
> these names should
> * not leak to the other nameservers:
> */
> include "internal/named.rfc1912.zones";
>
> // These are your "authoritative" internal zones, and
> would probably
> // also be included in the "localhost_resolver" view
> above :
>
> /*
> NOTE for dynamic DNS zones and secondary zones:
>
> DO NOT USE SAME FILES IN MULTIPLE VIEWS!
>
> If you are using views and DDNS/secondary zones it is
> strongly
> recommended to read FAQ on ISC site (www.isc.org),
> section
> "Configuration and Setup Questions", questions
> "How do I share a dynamic zone between multiple views?"
> and
> "How can I make a server a slave for both an internal
> and an external
> view at the same time?"
> */
>
> /*
> Based on research, need to put DDNS "zones" files
> into the /var/named/chroot/var/named/slaves/ directory.
> Named has a "bug" that prevents them from being
> updated in the usual
> place /var/named/chroot/var/named/internal/
> */
> // forward "zones" file.
> zone "dhcp.coloradostudios.com" {
> type master;
> allow-update { key DHCP_UPDATER; };
> file "slaves/db.dhcp.coloradostudios.com";
> notify yes;
> // put dynamically updateable zones in the slaves/
> directory so named can update them
> };
>
> // Reverse "zones" file.
> zone "20.10.172.in-addr.arpa" {
> type master;
> allow-update { key DHCP_UPDATER; };
> file "slaves/db.172.10.20";
> notify yes;
> };
> };
>
> //key ddns_key
> //{
> // algorithm hmac-md5;
> // secret "use /usr/sbin/dnssec-keygen to generate TSIG
> keys";
> //};
>
> //view "external"
> //{
> ///* This view will contain zones you want to serve only to
> "external" clients
> // * that have addresses that are not match any above view:
> // */
> // match-clients { any; };
> //
> // zone "." IN {
> // type hint;
> // file "/var/named/named.ca";
> // };
> //
> // recursion no;
> // // you'd probably want to deny recursion to external
> clients, so you don't
> // // end up providing free DNS service to all takers
> //
> // // These are your "authoritative" external zones, and
> would probably
> // // contain entries for just your web and mail
> servers:
> //
> // zone "my.external.zone" {
> // type master;
> // file "my.external.zone.db";
> // };
> //};
>
>
> dhcpd.conf
> ====================================
> #
> # DHCP Server Configuration file.
> # see /usr/share/doc/dhcp*/dhcpd.conf.sample
> # see 'man 5 dhcpd.conf'
> #
> # Sept 19, 2012 jbucks
> # /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout
> #
> #
> # On what interfaces should the DHCP server (dhcpd) serve DHCP
> requests?
> # Separate multiple interfaces with spaces, e.g. "eth0 eth1".>
> INTERFACES="eth1";
>
> deny client-updates; # Tells the server to deny
> any requests that clients may send to update their own
> information.
>
> authoritative; # Sets the server
> authoritative for my network
> ddns-update-style interim; # Activates Dynamic DNS
> max-lease-time 604800; # 604800 is a week
> default-lease-time 86400; # 86400 is a day
>
> # Use this command line to generate the key. Only need the
> key string (from the .private file) inside these files.
> # dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER
> #
> # It is very important to use the exact same keystring and
> name on both dhcpd.conf and named.conf for this to work.
> key DHCP_UPDATER { # This line specifies
> the key name
> algorithm HMAC-MD5; # This line specifies
> the encryption algorithm best to stick with HMAC-MD5
> secret TrlaHSJXel+L5hqtfev5Gdlwj7B
> +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==;
> # Finally the key statement itself
> };
>
>
> # These zones statements are part of the dynamic dns (named)
> as they link back into the bind (named) zones
> zone dhcp.coloradostudios.com. {
> primary 127.0.0.1;
> key DHCP_UPDATER;
> }
>
> zone 20.10.172.in-addr.arpa. {
> primary 127.0.0.1;
> key DHCP_UPDATER;
> }
>
> subnet 172.10.0.0 netmask 255.255.0.0 {
> option broadcast-address 172.10.255.255;
> option domain-name "coloradostudios.com";
> option routers 172.10.5.1;
> ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8,
> "-", leased-address));
> option time-offset -7; # Mountain Standard Time
> range 172.10.20.51 172.10.20.254;
> }
>
>
>
> --
> Jim Bucks - IT Director
> Colorado Studios, Mobile TV Group, HDNet, AXS.tv
> 8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
> jbucks at coloradostudios.com Direct 303-542-5520
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6147 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130329/1611bc9a/attachment.bin>
More information about the bind-users
mailing list