Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Mark Elkins mje at posix.co.za
Fri Mar 29 12:39:46 UTC 2013


Try using a more simple MD5, short key.

Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
There was also some sort of length bug? - try 128 bit length.

On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote:
> After working on this some more overnight.....  
> 
> I can add records interactively via nsupdate (as shown below).  But,
> cannot get the same results from an ipconfig /release & /renew from a
> workstation.  I am totally stumped at this point.
> 
> Any ideas (and yes, I did do over the "semicomplete" URL provided
> by ?Alex?").  The only difference I can see is that I used a 512 bit
> key vs the examples 128bit key. And, I'm using a slaves/ directory vs
> internal/ directory for the "zones" files.
> 
> Jim
> 
> 
> INTERACTIVE WORKS
> ------------------------------------
> [root at dns04 chroot]# nsupdate 
> > server 127.0.0.1
> > key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B
> +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> > update add 101.20.10.172.in-addr.arpa. 3600 in ptr
> proccilap.dhcp.coloradostudios.com.                                      
> > 
> > update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
> > 
> > 
> 
> [root at dns04 slaves]# ll
> total 24
> -rw-r--r-- 1 named named  400 Mar 28 15:08 db.172.10.20
> -rw-r--r-- 1 named named  792 Mar 29 05:54 db.172.10.20.jnl
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rwxrwx--- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
> -rw-r--r-- 1 named named  782 Mar 29 05:56
> db.dhcp.coloradostudios.com.jnl
> [root at dns04 slaves]# 
> 
> 
> 
> [root at dns04 chroot]# rndc freeze
> [root at dns04 chroot]# rndc thaw
> 
> 
> [root at dns04 slaves]# ll
> total 16
> -rw-r--r-- 1 named named  433 Mar 29 05:58 db.172.10.20
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rw-r--r-- 1 named named  381 Mar 29 05:58 db.dhcp.coloradostudios.com
> [root at dns04 slaves]# 
> 
> 
> [root at dns04 slaves]# cat db.172.10.20 
> $ORIGIN .
> $TTL 86400    ; 1 day
> 20.10.172.in-addr.arpa    IN SOA    dns04.coloradostudios.com.
> sysmgr.hd.net. (
>                 2013032605 ; serial
>                 10800      ; refresh (3 hours)
>                 3600       ; retry (1 hour)
>                 604800     ; expire (1 week)
>                 86400      ; minimum (1 day)
>                 )
>             NS    dns04.den.coloradostudios.com.
> $ORIGIN 20.10.172.in-addr.arpa.
> $TTL 3600    ; 1 hour
> 101            PTR    proccilap.dhcp.coloradostudios.com.
> 
> 
> [root at dns04 slaves]# cat db.dhcp.coloradostudios.com 
> $ORIGIN .
> $TTL 86400    ; 1 day
> dhcp.coloradostudios.com IN SOA    dns04.coloradostudios.com.
> sysmgr.axs.tv. (
>                 2013032804 ; serial
>                 10800      ; refresh (3 hours)
>                 3600       ; retry (1 hour)
>                 604800     ; expire (1 week)
>                 86400      ; minimum (1 day)
>                 )
>             NS    dns04.coloradostudios.com.
> $ORIGIN dhcp.coloradostudios.com.
> proccilap        A    171.10.20.101
> [root at dns04 slaves]# 
> 
> 
> IPCONFIG /RELEASE & /RENEW DOES NOT WORK
> --------------------------------------------------------------------------------
> Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
> Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
> Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via
> eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
> dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
> Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
> (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> 
> 
> 
> 
> 
> On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks
> <jbucks at coloradostudios.com> wrote:
>         Hi Jim,
>         
>         Shouldn't there be quotes around the key string in the
>         named .conf file?  I have quotes around mine in named.conf.  I
>         do not have quotes around the key string in the dhcpd.conf.
>         
>         If this is correct, I've made sure they match (I was trying to
>         "genericize" the key string before), but not any longer.
>         
>         After making sure the key strings match, I'm still getting the
>         error "unable to add forward map" when I do a release & renew
>         from a windows laptop.
>         Here are the current (and live) config files.
>         
>         named.conf
>         =====================
>         /*
>          Sample named.conf BIND DNS server 'named' configuration file
>          for the Red Hat BIND distribution.
>         
>          See the BIND Administrator's Reference Manual (ARM) for
>         details, in:
>            file:///usr/share/doc/bind-{
>         version}/arm/Bv9ARM.html
>          Also see the BIND Configuration
>         GUI : /usr/bin/system-config-bind and 
>          its manual.
>         */
>         
>         acl stapleton_hosts {
>             127.0.0.1;
>             172.10.0.0/16;
>         };
>         
>         options
>         {
>             // Put files that named is allowed to write in the data/
>         directory:
>             directory         "/var/named";        // "Working"
>         directory
>             dump-file         "data/cache_dump.db";
>                 statistics-file     "data/named_stats.txt";
>                 memstatistics-file     "data/named_mem_stats.txt";
>                 zone-statistics         yes;
>         
>         
>             /*
>               Specify listenning interfaces. You can use list of
>         addresses (';' is
>               delimiter) or keywords "any"/"none"
>             */
>             //listen-on port 53    { any; };
>             listen-on port 53    { 127.0.0.1; 172.10.0.0; };
>         
>             //listen-on-v6 port 53    { any; };
>             //listen-on-v6 port 53    { ::1; };
>         
>             /*
>               Access restrictions
>         
>               There are two important options:
>                 allow-query { argument; };
>                   - allow queries for authoritative data
>         
>                 allow-query-cache { argument; };
>                   - allow queries for non-authoritative data (mostly
>         cached data)
>         
>               You can use address, network address or keywords
>         "any"/"localhost"/"none" as argument
>               Examples:
>                 allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
>                 allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526;
>         10.0.0.1; };
>             */
>         
>             allow-query        { stapleton_hosts; };
>             allow-query-cache    { stapleton_hosts; };
>         
>             // Enable/disable recursion - recursion yes/no;
>             recursion yes;
>         
>             /* DNSSEC related options. See information about keys
>         ("Trusted keys", bellow) */
>         
>             /* Enable serving of DNSSEC related data - enable on both
>         authoritative
>                 and recursive servers DNSSEC aware servers */
>             //dnssec-enable yes;
>         
>             /* Enable DNSSEC validation on recursive servers */
>             //dnssec-validation yes;
>         
>             /* Enable DLV by default, use built-in ISC DLV key. */
>             //dnssec-lookaside auto;
>         
>                 version "Secret";
>         
>         };
>         
>         # Use this command line to generate the key.  Only need the
>         key string (from the .private file) inside these files.
>         #      dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER 
>         #
>         # It is very important to use the exact same keystring and
>         name on both dhcpd.conf and named.conf for this to work.
>         key DHCP_UPDATER {                       # This line specifies
>         the key name
>             algorithm HMAC-MD5;                  # This line specifies
>         the encryption algorithm best to stick with HMAC-MD5
>             secret "TrlaHSJXel+L5hqtfev5Gdlwj7B
>         +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==";     # Finally, the key statement itself
>         };
>         
>         
>         logging 
>         {
>         /*      If you want to enable debugging, eg. using the 'rndc
>         trace' command,
>          *      named will try to write the 'named.run' file in the
>         $directory (/var/named).
>          *      By default, SELinux policy does not allow named to
>         modify the /var/named directory,
>          *      so put the default debug log file in data/ :
>          */
>                 channel default_debug {
>                         file "data/named.run";
>                         severity dynamic;
>                 };    
>         };
>         
>         /*
>          Views let a name server answer a DNS query differently
>         depending on who is asking.
>         
>          By default, if named.conf contains no "view" clauses, all
>         zones are in the 
>          "default" view, which matches all clients.
>         
>          Views are processed sequentially. The first match is used so
>         the last view should
>          match "any" - it's fallback and the most restricted view.
>         
>          If named.conf contains any "view" clause, then all zones MUST
>         be in a view.
>         */
>         
>         //view "localhost_resolver"
>         //{
>         ///* This view sets up named to be a localhost resolver
>         ( caching only nameserver ).
>         // * If all you want is a caching-only nameserver, then you
>         need only define this view:
>         // */
>         //    match-clients         { localhost; };
>         //    recursion yes;
>         //
>         //    # all views must contain the root hints zone:
>         //    zone "." IN {
>         //            type hint;
>         //            file "/var/named/named.ca";
>         //    };
>         //
>         //       /* these are zones that contain definitions for all
>         the localhost
>         //         * names and addresses, as recommended in RFC1912 -
>         these names should
>         //     * not leak to the other nameservers:
>         //     */
>         //    include "/etc/named.rfc1912.zones";
>         //};
>         view "internal"
>         {
>         /* This view will contain zones you want to serve only to
>         "internal" clients
>            that connect via your directly attached LAN interfaces -
>         "localnets" .
>          */
>             match-clients        { stapleton_hosts; };
>             recursion yes;
>         
>                 disable-empty-zone ".";
>         
>                 allow-update            { stapleton_hosts; };
>         
>             zone "." IN {
>                     type hint;
>                     file "internal/root.hints";
>             };
>         
>                 /* these are zones that contain definitions for all
>         the localhost
>                  * names and addresses, as recommended in RFC1912 -
>         these names should
>              * not leak to the other nameservers:
>              */
>             include "internal/named.rfc1912.zones";
>          
>             // These are your "authoritative" internal zones, and
>         would probably
>             // also be included in the "localhost_resolver" view
>         above :
>         
>             /*
>               NOTE for dynamic DNS zones and secondary zones:
>         
>               DO NOT USE SAME FILES IN MULTIPLE VIEWS!
>         
>               If you are using views and DDNS/secondary zones it is
>         strongly
>               recommended to read FAQ on ISC site (www.isc.org),
>         section
>               "Configuration and Setup Questions", questions
>               "How do I share a dynamic zone between multiple views?"
>         and
>               "How can I make a server a slave for both an internal
>         and an external
>                view at the same time?"
>             */
>         
>                /*
>                  Based on research, need to put DDNS "zones" files
>         into the /var/named/chroot/var/named/slaves/ directory.
>                  Named has a "bug" that prevents them from being
>         updated in the usual
>         place /var/named/chroot/var/named/internal/
>                */
>                 // forward "zones" file.
>             zone "dhcp.coloradostudios.com" {
>                 type master;
>                 allow-update { key DHCP_UPDATER; };
>                 file "slaves/db.dhcp.coloradostudios.com";
>                         notify yes;
>                 // put dynamically updateable zones in the slaves/
>         directory so named can update them
>             };
>         
>                 // Reverse "zones" file.
>                 zone "20.10.172.in-addr.arpa" {
>                         type master;
>                         allow-update { key DHCP_UPDATER; };
>                         file "slaves/db.172.10.20";
>                         notify yes;
>                 };
>         };
>         
>         //key ddns_key
>         //{
>         //    algorithm hmac-md5;
>         //    secret "use /usr/sbin/dnssec-keygen to generate TSIG
>         keys";
>         //};
>         
>         //view "external"
>         //{
>         ///* This view will contain zones you want to serve only to
>         "external" clients
>         // * that have addresses that are not match any above view:
>         // */
>         //    match-clients        { any; };
>         //
>         //    zone "." IN {
>         //            type hint;
>         //            file "/var/named/named.ca";
>         //    };
>         //
>         //    recursion no;
>         //    // you'd probably want to deny recursion to external
>         clients, so you don't
>         //        // end up providing free DNS service to all takers
>         //
>         //    // These are your "authoritative" external zones, and
>         would probably
>         //        // contain entries for just your web and mail
>         servers:
>         //
>         //    zone "my.external.zone" { 
>         //        type master;
>         //        file "my.external.zone.db";
>         //    };
>         //};
>         
>         
>         dhcpd.conf
>         ====================================
>         #
>         # DHCP Server Configuration file.
>         #   see /usr/share/doc/dhcp*/dhcpd.conf.sample
>         #   see 'man 5 dhcpd.conf'
>         #
>         # Sept 19, 2012      jbucks
>         #  /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout
>         #
>         #
>         # On what interfaces should the DHCP server (dhcpd) serve DHCP
>         requests?
>         # Separate multiple interfaces with spaces, e.g. "eth0 eth1".>
>         INTERFACES="eth1"; 
>         
>         deny client-updates;              # Tells the server to deny
>         any requests that clients may send to update their own
>         information.
>         
>         authoritative;                    # Sets the server
>         authoritative for my network
>         ddns-update-style interim;        # Activates Dynamic DNS
>         max-lease-time 604800;            # 604800 is a week
>         default-lease-time 86400;         # 86400 is a day
>         
>         # Use this command line to generate the key.  Only need the
>         key string (from the .private file) inside these files.
>         #       dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER 
>         # 
>         #  It is very important to use the exact same keystring and
>         name on both dhcpd.conf and named.conf for this to work.
>         key DHCP_UPDATER {                       # This line specifies
>         the key name
>             algorithm HMAC-MD5;                  # This line specifies
>         the encryption algorithm best to stick with HMAC-MD5
>             secret TrlaHSJXel+L5hqtfev5Gdlwj7B
>         +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==;
>         # Finally the key statement itself
>         };
>         
>         
>         # These zones statements are part of the dynamic dns (named)
>         as they link back into the bind (named) zones
>         zone dhcp.coloradostudios.com. {
>            primary 127.0.0.1;
>            key DHCP_UPDATER;
>         }
>         
>         zone 20.10.172.in-addr.arpa. {
>            primary 127.0.0.1;
>            key DHCP_UPDATER;
>         }
>         
>         subnet 172.10.0.0 netmask 255.255.0.0 {
>            option broadcast-address 172.10.255.255;
>            option domain-name       "coloradostudios.com";
>            option routers           172.10.5.1;
>            ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8,
>         "-", leased-address));
>            option time-offset       -7;     # Mountain Standard Time
>            range                    172.10.20.51 172.10.20.254;
>         }
>         
>         
> 
> -- 
> Jim Bucks - IT Director      
> Colorado Studios, Mobile TV Group, HDNet, AXS.tv
> 8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500 
> jbucks at coloradostudios.com            Direct 303-542-5520 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6147 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130329/1611bc9a/attachment.bin>


More information about the bind-users mailing list