Hi Jim,<br><br>Shouldn't there be quotes around the key string in the
named .conf file? I have quotes around mine in named.conf. I do not
have quotes around the key string in the dhcpd.conf.<br><br>If this is correct, I've made sure they match (I was trying to "genericize" the key string before), but not any longer.<br>
<br>After making sure the key strings match, I'm still getting the error
"unable to add forward map" when I do a release & renew from a
windows laptop.<br>Here are the current (and live) config files.<br>
<br>named.conf<br>=====================<br>/*<br> Sample named.conf BIND DNS server 'named' configuration file<br> for the Red Hat BIND distribution.<br><br> See the BIND Administrator's Reference Manual (ARM) for details, in:<br>
file:///usr/share/doc/bind-{<div id=":657">version}/arm/Bv9ARM.html<br> Also see the BIND Configuration GUI : /usr/bin/system-config-bind and <br> its manual.<br>*/<br><br>acl stapleton_hosts {<br> 127.0.0.1;<br> <a href="http://172.10.0.0/16" target="_blank">172.10.0.0/16</a>;<br>
};<br><br>options<br>{<br> // Put files that named is allowed to write in the data/ directory:<br> directory "/var/named"; // "Working" directory<br> dump-file "data/cache_dump.db";<br>
statistics-file "data/named_stats.txt";<br> memstatistics-file "data/named_mem_stats.txt";<br> zone-statistics yes;<br><br><br> /*<br> Specify listenning interfaces. You can use list of addresses (';' is<br>
delimiter) or keywords "any"/"none"<br> */<br> //listen-on port 53 { any; };<br> listen-on port 53 { 127.0.0.1; 172.10.0.0; };<br><br> //listen-on-v6 port 53 { any; };<br> //listen-on-v6 port 53 { ::1; };<br>
<br> /*<br> Access restrictions<br><br> There are two important options:<br> allow-query { argument; };<br> - allow queries for authoritative data<br><br> allow-query-cache { argument; };<br>
- allow queries for non-authoritative data (mostly cached data)<br><br> You can use address, network address or keywords "any"/"localhost"/"none" as argument<br> Examples:<br>
allow-query { localhost; 10.0.0.1; <a href="http://192.168.1.0/8" target="_blank">192.168.1.0/8</a>; };<br> allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };<br> */<br><br> allow-query { stapleton_hosts; };<br>
allow-query-cache { stapleton_hosts; };<br><br> // Enable/disable recursion - recursion yes/no;<br> recursion yes;<br><br> /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */<br>
<br> /* Enable serving of DNSSEC related data - enable on both authoritative<br> and recursive servers DNSSEC aware servers */<br> //dnssec-enable yes;<br><br> /* Enable DNSSEC validation on recursive servers */<br>
//dnssec-validation yes;<br><br> /* Enable DLV by default, use built-in ISC DLV key. */<br> //dnssec-lookaside auto;<br><br> version "Secret";<br><br>};<br><br># Use this command line to generate the key. Only need the key string (from the .private file) inside these files.<br>
# dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER <br>#<br># It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.<br>key DHCP_UPDATER { # This line specifies the key name<br>
algorithm HMAC-MD5; # This line specifies the encryption algorithm best to stick with HMAC-MD5<br> secret "TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw=="; # Finally, the key statement itself<br>
};<br><br><br>logging <br>{<br>/* If you want to enable debugging, eg. using the 'rndc trace' command,<br> * named will try to write the 'named.run' file in the $directory (/var/named).<br> * By default, SELinux policy does not allow named to modify the /var/named directory,<br>
* so put the default debug log file in data/ :<br> */<br> channel default_debug {<br> file "data/named.run";<br> severity dynamic;<br> }; <br>};<br><br>/*<br>
Views let a name server answer a DNS query differently depending on who is asking.<br><br> By default, if named.conf contains no "view" clauses, all zones are in the <br> "default" view, which matches all clients.<br>
<br> Views are processed sequentially. The first match is used so the last view should<br> match "any" - it's fallback and the most restricted view.<br><br> If named.conf contains any "view" clause, then all zones MUST be in a view.<br>
*/<br><br>//view "localhost_resolver"<br>//{<br>///* This view sets up named to be a localhost resolver ( caching only nameserver ).<br>// * If all you want is a caching-only nameserver, then you need only define this view:<br>
// */<br>// match-clients { localhost; };<br>// recursion yes;<br>//<br>// # all views must contain the root hints zone:<br>// zone "." IN {<br>// type hint;<br>// file "/var/named/<a href="http://named.ca" target="_blank">named.ca</a>";<br>
// };<br>//<br>// /* these are zones that contain definitions for all the localhost<br>// * names and addresses, as recommended in RFC1912 - these names should<br>// * not leak to the other nameservers:<br>
// */<br>// include "/etc/named.rfc1912.zones";<br>//};<br>view "internal"<br>{<br>/* This view will contain zones you want to serve only to "internal" clients<br> that connect via your directly attached LAN interfaces - "localnets" .<br>
*/<br> match-clients { stapleton_hosts; };<br> recursion yes;<br><br> disable-empty-zone ".";<br><br> allow-update { stapleton_hosts; };<br><br> zone "." IN {<br>
type hint;<br> file "internal/root.hints";<br> };<br><br> /* these are zones that contain definitions for all the localhost<br> * names and addresses, as recommended in RFC1912 - these names should<br>
* not leak to the other nameservers:<br> */<br> include "internal/named.rfc1912.zones";<br> <br> // These are your "authoritative" internal zones, and would probably<br> // also be included in the "localhost_resolver" view above :<br>
<br> /*<br> NOTE for dynamic DNS zones and secondary zones:<br><br> DO NOT USE SAME FILES IN MULTIPLE VIEWS!<br><br> If you are using views and DDNS/secondary zones it is strongly<br> recommended to read FAQ on ISC site (<a href="http://www.isc.org" target="_blank">www.isc.org</a>), section<br>
"Configuration and Setup Questions", questions<br> "How do I share a dynamic zone between multiple views?" and<br> "How can I make a server a slave for both an internal and an external<br>
view at the same time?"<br> */<br><br> /*<br> Based on research, need to put DDNS "zones" files into the /var/named/chroot/var/named/slaves/ directory.<br> Named has a "bug" that prevents them from being updated in the usual place /var/named/chroot/var/named/internal/<br>
*/<br> // forward "zones" file.<br> zone "<a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>" {<br> type master;<br> allow-update { key DHCP_UPDATER; };<br>
file "slaves/<a href="http://db.dhcp.coloradostudios.com" target="_blank">db.dhcp.coloradostudios.com</a>";<br> notify yes;<br> // put dynamically updateable zones in the slaves/ directory so named can update them<br>
};<br><br> // Reverse "zones" file.<br> zone "20.10.172.in-addr.arpa" {<br> type master;<br> allow-update { key DHCP_UPDATER; };<br> file "slaves/db.172.10.20";<br>
notify yes;<br> };<br>};<br><br>//key ddns_key<br>//{<br>// algorithm hmac-md5;<br>// secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";<br>//};<br><br>//view "external"<br>
//{<br>///* This view will contain zones you want to serve only to "external" clients<br>// * that have addresses that are not match any above view:<br>// */<br>// match-clients { any; };<br>//<br>// zone "." IN {<br>
// type hint;<br>// file "/var/named/<a href="http://named.ca" target="_blank">named.ca</a>";<br>// };<br>//<br>// recursion no;<br>// // you'd probably want to deny recursion to external clients, so you don't<br>
// // end up providing free DNS service to all takers<br>//<br>// // These are your "authoritative" external zones, and would probably<br>// // contain entries for just your web and mail servers:<br>
//<br>// zone "my.external.zone" { <br>// type master;<br>// file "my.external.zone.db";<br>// };<br>//};<br><br><br>dhcpd.conf<br>====================================<br>#<br># DHCP Server Configuration file.<br>
# see /usr/share/doc/dhcp*/dhcpd.conf.sample<br># see 'man 5 dhcpd.conf'<br>#<br># Sept 19, 2012 jbucks<br># /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout<br>#<br>#<br># On what interfaces should the DHCP server (dhcpd) serve DHCP requests?<br>
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".><br>INTERFACES="eth1"; <br><br>deny client-updates; # Tells the server to deny any requests that clients may send to update their own information.<br>
<br>authoritative; # Sets the server authoritative for my network<br>ddns-update-style interim; # Activates Dynamic DNS<br>max-lease-time 604800; # 604800 is a week<br>default-lease-time 86400; # 86400 is a day<br>
<br># Use this command line to generate the key. Only need the key string (from the .private file) inside these files.<br># dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER <br># <br># It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.<br>
key DHCP_UPDATER { # This line specifies the key name<br> algorithm HMAC-MD5; # This line specifies the encryption algorithm best to stick with HMAC-MD5<br> secret TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==; # Finally the key statement itself<br>
};<br><br><br># These zones statements are part of the dynamic dns (named) as they link back into the bind (named) zones<br>zone <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>. {<br>
primary 127.0.0.1;<br>
key DHCP_UPDATER;<br>}<br><br>zone 20.10.172.in-addr.arpa. {<br> primary 127.0.0.1;<br> key DHCP_UPDATER;<br>}<br><br>subnet 172.10.0.0 netmask 255.255.0.0 {<br> option broadcast-address 172.10.255.255;<br> option domain-name "<a href="http://coloradostudios.com" target="_blank">coloradostudios.com</a>";<br>
option routers 172.10.5.1;<br> ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8, "-", leased-address));<br> option time-offset -7; # Mountain Standard Time<br> range 172.10.20.51 172.10.20.254;<br>
}<br><br><br></div><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 2:00 PM, Jim Glassford <span dir="ltr"><<a href="mailto:jmglass@iup.edu" target="_blank">jmglass@iup.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Jim,<br>
<br>
Looking at your config files, believe the keys do not match in
named.conf and dhcpd.conf but maybe they were adjusted for the
posting to the list. Alan Clegg's link shows creating the key and
adding it to the files and also some nsupdate examples.<br>
<br>
<br>
Would want like the following, only with your key in each file,
cut and paste that key! :-)<br>
<br>
~~~ inside dhcpd.conf this ~~~~~<br>
<br>
<small>key DHCP_UPDATER {<br>
algorithm HMAC-MD5;<br>
secret xxxxxxxxxxxxxxxxxxxxxxxx;<br>
};<br>
</small><br>
~~~ inside named.conf this ~~~~~<br>
<br>
<small>key DHCP_UPDATER {<br>
algorithm HMAC-MD5;<br>
secret xxxxxxxxxxxxxxxxxxxxxxxx;<br>
};</small><br>
<br>
<br>
On 3/28/2013 3:05 PM, Jim Bucks wrote:<br>
</div>
<blockquote type="cite">Hi All (sorry for the top-posting)....<br>
<br>
Alan - thanks for the link. I'll be checking it out / looking it
over.<br>
<br>
Jim,<br>
<br>
Based on the nsupdate output (below), it looks like I've hosed up
something in my "key". I used the key string from the .private
key file (I've found some search results that say to use the .key
and others say to use the .private).<br>
<br>
Jim<br>
<br>
[root@dns04 chroot]# nsupdate -d<br>
> server 127.0.0.1<br>
> key DHCP_UPDATE
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==<br>
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>.
<br>
> <br>
Reply from SOA query:<br>
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:
11212<br>
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0<br>
;; QUESTION SECTION:<br>
;101.20.10.172.in-addr.arpa. IN SOA<br>
<br>
;; AUTHORITY SECTION:<br>
20.10.172.in-addr.arpa. 0 IN SOA <a href="http://dns04.coloradostudios.com" target="_blank">dns04.coloradostudios.com</a>.
<a href="http://sysmgr.hd.net" target="_blank">sysmgr.hd.net</a>.
<a href="tel:2013032600" value="+12013032600" target="_blank">2013032600</a> 10800 3600 604800 86400<br>
<br>
Found zone name: 20.10.172.in-addr.arpa<br>
The master is: <a href="http://dns04.coloradostudios.com" target="_blank">dns04.coloradostudios.com</a><br>
Sending update to 127.0.0.1#53<br>
Outgoing update query:<br>
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
25308<br>
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1<br>
;; UPDATE SECTION:<br>
101.20.10.172.in-addr.arpa. 3600 IN PTR <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>.<br>
<br>
;; TSIG PSEUDOSECTION:<br>
dhcp_update. 0 ANY TSIG <a href="http://hmac-md5.sig-alg.reg.int" target="_blank">hmac-md5.sig-alg.reg.int</a>.
1364496936 300 16 qUBZdqVmksNQtmb1mb9gNQ== 25308 NOERROR 0 <br>
<br>
; TSIG error with server: tsig indicates error<br>
<br>
Reply from update query:<br>
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:
25308<br>
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1<br>
;; ZONE SECTION:<br>
;20.10.172.in-addr.arpa. IN SOA<br>
<br>
;; TSIG PSEUDOSECTION:<br>
dhcp_update. 0 ANY TSIG <a href="http://hmac-md5.sig-alg.reg.int" target="_blank">hmac-md5.sig-alg.reg.int</a>.
1364496936 300 0 25308 BADKEY 0 <br>
<br>
> quit<br>
[root@dns04 chroot]# <br>
<br>
<br>
<div class="gmail_quote">On Thu, Mar 28, 2013 at 12:03 PM, Jim
Glassford <span dir="ltr"><<a href="mailto:jmglass@iup.edu" target="_blank">jmglass@iup.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Jim,<br>
<br>
No, sorry, wrong IP address, the real IP address of the
dns server, not the client.<br>
<br>
zone <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>.
{<br>
primary
your_dns_server_IP_address;
<----- change from 127.0.0.1 <br>
key DHCP_UPDATER;<br>
}<br>
<br>
Also do you have a /var/log/named.log file or debug log
file for named, other than messages, might have more
information.<br>
Can try nsupdate with debug to see if this gives any clue
also.<br>
nsupdate -d<br>
> server your_dns_server_here<br>
> key your_key_here<br>
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
<a href="http://dhcp-172-10-20-101.coloradostudios.com" target="_blank">dhcp-172-10-20-101.coloradostudios.com</a>.<br>
> do extra CR to get it to go<br>
<br>
should see lots of debug information here<br>
><br>
> quit<br>
<br>
man nsupdate<br>
<br>
best!<br>
jim<br>
<br>
On 3/28/2013 1:52 PM, Jim Bucks wrote:<br>
</div>
<blockquote type="cite">No I have not tried that, but .101
is a leased IP address for a Windows workstation.<br>
<br>
I'm willing to try it, but it seems like that would mean I
would need a zone like this for all of my leased
addresses???<br>
<br>
<br>
Jim<br>
<br>
<div class="gmail_quote">On Thu, Mar 28, 2013 at 11:42 AM,
Jim Glassford <span dir="ltr"><<a href="mailto:jmglass@iup.edu" target="_blank">jmglass@iup.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Jim,<br>
<br>
Lost track but have you tried using the IP address
of the server for the primary, 172.10.20.101
instead of 127.0.0.1?<br>
<br>
zone <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>. {<br>
primary 172.10.20.101;
<----- change from 127.0.0.1 <br>
key DHCP_UPDATER;<br>
}<br>
<br>
<br>
best!<br>
jim<br>
<br>
<br clear="all"></div></div></blockquote></div></blockquote></div></blockquote></div></blockquote></div></blockquote></div><br>-- <br>Jim Bucks - IT Director <br><a href="http://www.coloradostudios.com" target="_blank">Colorado Studios</a>,
<a href="http://www.mobiletvgroup.com" target="_blank"> Mobile TV Group</a>, <a href="http://www.hd.net" target="_blank">HDNet</a>, <a href="http://www.axs.tv/" target="_blank">AXS.tv</a><br>8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
<br><a href="mailto:jbucks@coloradostudios.com" target="_blank">jbucks@coloradostudios.com</a> Direct 303-542-5520