After working on this some more overnight..... <br><br>I can add records interactively via nsupdate (as shown below). But, cannot get the same results from an ipconfig /release & /renew from a workstation. I am totally stumped at this point.<br>
<br>Any ideas (and yes, I did do over the "semicomplete" URL provided by ?Alex?"). The only difference I can see is that I used a 512 bit key vs the examples 128bit key. And, I'm using a slaves/ directory vs internal/ directory for the "zones" files.<br>
<br>Jim<br><br><br>INTERACTIVE WORKS<br>------------------------------------<br>[root@dns04 chroot]# nsupdate <br>> server 127.0.0.1<br>> key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==<br>
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr <a href="http://proccilap.dhcp.coloradostudios.com">proccilap.dhcp.coloradostudios.com</a>. <br>> <br>> update add <a href="http://proccilap.dhcp.coloradostudios.com">proccilap.dhcp.coloradostudios.com</a>. 86400 a 171.10.20.101<br>
> <br>> <br><br>[root@dns04 slaves]# ll<br>total 24<br>-rw-r--r-- 1 named named 400 Mar 28 15:08 db.172.10.20<br>-rw-r--r-- 1 named named 792 Mar 29 05:54 db.172.10.20.jnl<br>-rwxrwx--- 1 named named 7346 Feb 15 09:06 <a href="http://db.den.coloradostudios.com">db.den.coloradostudios.com</a><br>
-rwxrwx--- 1 named named 362 Mar 28 13:41 <a href="http://db.dhcp.coloradostudios.com">db.dhcp.coloradostudios.com</a><br>-rw-r--r-- 1 named named 782 Mar 29 05:56 db.dhcp.coloradostudios.com.jnl<br>[root@dns04 slaves]# <br>
<br><br><br>[root@dns04 chroot]# rndc freeze<br>[root@dns04 chroot]# rndc thaw<br><br><br>[root@dns04 slaves]# ll<br>total 16<br>-rw-r--r-- 1 named named 433 Mar 29 05:58 db.172.10.20<br>-rwxrwx--- 1 named named 7346 Feb 15 09:06 <a href="http://db.den.coloradostudios.com">db.den.coloradostudios.com</a><br>
-rw-r--r-- 1 named named 381 Mar 29 05:58 <a href="http://db.dhcp.coloradostudios.com">db.dhcp.coloradostudios.com</a><br>[root@dns04 slaves]# <br><br><br>[root@dns04 slaves]# cat db.172.10.20 <br>$ORIGIN .<br>$TTL 86400 ; 1 day<br>
20.10.172.in-addr.arpa IN SOA <a href="http://dns04.coloradostudios.com">dns04.coloradostudios.com</a>. <a href="http://sysmgr.hd.net">sysmgr.hd.net</a>. (<br> 2013032605 ; serial<br> 10800 ; refresh (3 hours)<br>
3600 ; retry (1 hour)<br> 604800 ; expire (1 week)<br> 86400 ; minimum (1 day)<br> )<br> NS <a href="http://dns04.den.coloradostudios.com">dns04.den.coloradostudios.com</a>.<br>
$ORIGIN 20.10.172.in-addr.arpa.<br>$TTL 3600 ; 1 hour<br>101 PTR <a href="http://proccilap.dhcp.coloradostudios.com">proccilap.dhcp.coloradostudios.com</a>.<br><br><br>[root@dns04 slaves]# cat <a href="http://db.dhcp.coloradostudios.com">db.dhcp.coloradostudios.com</a> <br>
$ORIGIN .<br>$TTL 86400 ; 1 day<br><a href="http://dhcp.coloradostudios.com">dhcp.coloradostudios.com</a> IN SOA <a href="http://dns04.coloradostudios.com">dns04.coloradostudios.com</a>. <a href="http://sysmgr.axs.tv">sysmgr.axs.tv</a>. (<br>
2013032804 ; serial<br> 10800 ; refresh (3 hours)<br> 3600 ; retry (1 hour)<br> 604800 ; expire (1 week)<br> 86400 ; minimum (1 day)<br>
)<br> NS <a href="http://dns04.coloradostudios.com">dns04.coloradostudios.com</a>.<br>$ORIGIN <a href="http://dhcp.coloradostudios.com">dhcp.coloradostudios.com</a>.<br>proccilap A 171.10.20.101<br>
[root@dns04 slaves]# <br><br><br>IPCONFIG /RELEASE & /RENEW DOES NOT WORK<br>--------------------------------------------------------------------------------<br>Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.<br>
Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)<br>Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via eth1<br>Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to 00:0b:cd:33:b6:49 (proccilapxp) via eth1<br>
Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from <a href="http://dhcp-172-10-20-101.coloradostudios.com">dhcp-172-10-20-101.coloradostudios.com</a> to <a href="http://172.10.20.101">172.10.20.101</a>: timed out<br>
Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1<br>Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49 (proccilapxp) via eth1<br>
<br><br><br><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks <span dir="ltr"><<a href="mailto:jbucks@coloradostudios.com" target="_blank">jbucks@coloradostudios.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Jim,<br><br>Shouldn't there be quotes around the key string in the
named .conf file? I have quotes around mine in named.conf. I do not
have quotes around the key string in the dhcpd.conf.<br><br>If this is correct, I've made sure they match (I was trying to "genericize" the key string before), but not any longer.<br>
<br>After making sure the key strings match, I'm still getting the error
"unable to add forward map" when I do a release & renew from a
windows laptop.<br>Here are the current (and live) config files.<br>
<br>named.conf<br>=====================<br>/*<br> Sample named.conf BIND DNS server 'named' configuration file<br> for the Red Hat BIND distribution.<br><br> See the BIND Administrator's Reference Manual (ARM) for details, in:<br>
file:///usr/share/doc/bind-{<div>version}/arm/Bv9ARM.html<br> Also see the BIND Configuration GUI : /usr/bin/system-config-bind and <br> its manual.<br>*/<br><br>acl stapleton_hosts {<br> 127.0.0.1;<br> <a href="http://172.10.0.0/16" target="_blank">172.10.0.0/16</a>;<br>
};<br><br>options<br>{<br> // Put files that named is allowed to write in the data/ directory:<br> directory "/var/named"; // "Working" directory<br> dump-file "data/cache_dump.db";<br>
statistics-file "data/named_stats.txt";<br> memstatistics-file "data/named_mem_stats.txt";<br> zone-statistics yes;<br><br><br> /*<br> Specify listenning interfaces. You can use list of addresses (';' is<br>
delimiter) or keywords "any"/"none"<br> */<br> //listen-on port 53 { any; };<br> listen-on port 53 { 127.0.0.1; 172.10.0.0; };<br><br> //listen-on-v6 port 53 { any; };<br> //listen-on-v6 port 53 { ::1; };<br>
<br> /*<br> Access restrictions<br><br> There are two important options:<br> allow-query { argument; };<br> - allow queries for authoritative data<br><br> allow-query-cache { argument; };<br>
- allow queries for non-authoritative data (mostly cached data)<br><br> You can use address, network address or keywords "any"/"localhost"/"none" as argument<br> Examples:<br>
allow-query { localhost; 10.0.0.1; <a href="http://192.168.1.0/8" target="_blank">192.168.1.0/8</a>; };<br> allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };<br> */<br><br> allow-query { stapleton_hosts; };<br>
allow-query-cache { stapleton_hosts; };<br><br> // Enable/disable recursion - recursion yes/no;<br> recursion yes;<br><br> /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */<br>
<br> /* Enable serving of DNSSEC related data - enable on both authoritative<br> and recursive servers DNSSEC aware servers */<br> //dnssec-enable yes;<br><br> /* Enable DNSSEC validation on recursive servers */<br>
//dnssec-validation yes;<br><br> /* Enable DLV by default, use built-in ISC DLV key. */<br> //dnssec-lookaside auto;<br><br> version "Secret";<br><br>};<br><br># Use this command line to generate the key. Only need the key string (from the .private file) inside these files.<br>
# dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER <br>#<br># It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.<br>key DHCP_UPDATER { # This line specifies the key name<br>
algorithm HMAC-MD5; # This line specifies the encryption algorithm best to stick with HMAC-MD5<br> secret "TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw=="; # Finally, the key statement itself<br>
};<br><br><br>logging <br>{<br>/* If you want to enable debugging, eg. using the 'rndc trace' command,<br> * named will try to write the 'named.run' file in the $directory (/var/named).<br> * By default, SELinux policy does not allow named to modify the /var/named directory,<br>
* so put the default debug log file in data/ :<br> */<br> channel default_debug {<br> file "data/named.run";<br> severity dynamic;<br> }; <br>};<br><br>/*<br>
Views let a name server answer a DNS query differently depending on who is asking.<br><br> By default, if named.conf contains no "view" clauses, all zones are in the <br> "default" view, which matches all clients.<br>
<br> Views are processed sequentially. The first match is used so the last view should<br> match "any" - it's fallback and the most restricted view.<br><br> If named.conf contains any "view" clause, then all zones MUST be in a view.<br>
*/<br><br>//view "localhost_resolver"<br>//{<br>///* This view sets up named to be a localhost resolver ( caching only nameserver ).<br>// * If all you want is a caching-only nameserver, then you need only define this view:<br>
// */<br>// match-clients { localhost; };<br>// recursion yes;<br>//<br>// # all views must contain the root hints zone:<br>// zone "." IN {<br>// type hint;<br>// file "/var/named/<a href="http://named.ca" target="_blank">named.ca</a>";<br>
// };<br>//<br>// /* these are zones that contain definitions for all the localhost<br>// * names and addresses, as recommended in RFC1912 - these names should<br>// * not leak to the other nameservers:<br>
// */<br>// include "/etc/named.rfc1912.zones";<br>//};<br>view "internal"<br>{<br>/* This view will contain zones you want to serve only to "internal" clients<br> that connect via your directly attached LAN interfaces - "localnets" .<br>
*/<br> match-clients { stapleton_hosts; };<br> recursion yes;<br><br> disable-empty-zone ".";<br><br> allow-update { stapleton_hosts; };<br><br> zone "." IN {<br>
type hint;<br> file "internal/root.hints";<br> };<br><br> /* these are zones that contain definitions for all the localhost<br> * names and addresses, as recommended in RFC1912 - these names should<br>
* not leak to the other nameservers:<br> */<br> include "internal/named.rfc1912.zones";<br> <br> // These are your "authoritative" internal zones, and would probably<br> // also be included in the "localhost_resolver" view above :<br>
<br> /*<br> NOTE for dynamic DNS zones and secondary zones:<br><br> DO NOT USE SAME FILES IN MULTIPLE VIEWS!<br><br> If you are using views and DDNS/secondary zones it is strongly<br> recommended to read FAQ on ISC site (<a href="http://www.isc.org" target="_blank">www.isc.org</a>), section<br>
"Configuration and Setup Questions", questions<br> "How do I share a dynamic zone between multiple views?" and<br> "How can I make a server a slave for both an internal and an external<br>
view at the same time?"<br> */<br><br> /*<br> Based on research, need to put DDNS "zones" files into the /var/named/chroot/var/named/slaves/ directory.<br> Named has a "bug" that prevents them from being updated in the usual place /var/named/chroot/var/named/internal/<br>
*/<br> // forward "zones" file.<br> zone "<a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>" {<br> type master;<br> allow-update { key DHCP_UPDATER; };<br>
file "slaves/<a href="http://db.dhcp.coloradostudios.com" target="_blank">db.dhcp.coloradostudios.com</a>";<br> notify yes;<br> // put dynamically updateable zones in the slaves/ directory so named can update them<br>
};<br><br> // Reverse "zones" file.<br> zone "20.10.172.in-addr.arpa" {<br> type master;<br> allow-update { key DHCP_UPDATER; };<br> file "slaves/db.172.10.20";<br>
notify yes;<br> };<br>};<br><br>//key ddns_key<br>//{<br>// algorithm hmac-md5;<br>// secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";<br>//};<br><br>//view "external"<br>
//{<br>///* This view will contain zones you want to serve only to "external" clients<br>// * that have addresses that are not match any above view:<br>// */<br>// match-clients { any; };<br>//<br>// zone "." IN {<br>
// type hint;<br>// file "/var/named/<a href="http://named.ca" target="_blank">named.ca</a>";<br>// };<br>//<br>// recursion no;<br>// // you'd probably want to deny recursion to external clients, so you don't<br>
// // end up providing free DNS service to all takers<br>//<br>// // These are your "authoritative" external zones, and would probably<br>// // contain entries for just your web and mail servers:<br>
//<br>// zone "my.external.zone" { <br>// type master;<br>// file "my.external.zone.db";<br>// };<br>//};<br><br><br>dhcpd.conf<br>====================================<br>#<br># DHCP Server Configuration file.<br>
# see /usr/share/doc/dhcp*/dhcpd.conf.sample<br># see 'man 5 dhcpd.conf'<br>#<br># Sept 19, 2012 jbucks<br># /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout<br>#<br>#<br># On what interfaces should the DHCP server (dhcpd) serve DHCP requests?<br>
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".><br>INTERFACES="eth1"; <br><br>deny client-updates; # Tells the server to deny any requests that clients may send to update their own information.<br>
<br>authoritative; # Sets the server authoritative for my network<br>ddns-update-style interim; # Activates Dynamic DNS<br>max-lease-time 604800; # 604800 is a week<br>default-lease-time 86400; # 86400 is a day<br>
<br># Use this command line to generate the key. Only need the key string (from the .private file) inside these files.<br># dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER <br># <br># It is very important to use the exact same keystring and name on both dhcpd.conf and named.conf for this to work.<br>
key DHCP_UPDATER { # This line specifies the key name<br> algorithm HMAC-MD5; # This line specifies the encryption algorithm best to stick with HMAC-MD5<br> secret TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==; # Finally the key statement itself<br>
};<br><br><br># These zones statements are part of the dynamic dns (named) as they link back into the bind (named) zones<br>zone <a href="http://dhcp.coloradostudios.com" target="_blank">dhcp.coloradostudios.com</a>. {<br>
primary 127.0.0.1;<br>
key DHCP_UPDATER;<br>}<br><br>zone 20.10.172.in-addr.arpa. {<br> primary 127.0.0.1;<br> key DHCP_UPDATER;<br>}<br><br>subnet 172.10.0.0 netmask 255.255.0.0 {<br> option broadcast-address 172.10.255.255;<br> option domain-name "<a href="http://coloradostudios.com" target="_blank">coloradostudios.com</a>";<br>
option routers 172.10.5.1;<br> ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8, "-", leased-address));<br> option time-offset -7; # Mountain Standard Time<br> range 172.10.20.51 172.10.20.254;<br>
}<br><br></div></blockquote></div><br>-- <br>Jim Bucks - IT Director <br><a href="http://www.coloradostudios.com" target="_blank">Colorado Studios</a>,
<a href="http://www.mobiletvgroup.com" target="_blank"> Mobile TV Group</a>, <a href="http://www.hd.net" target="_blank">HDNet</a>, <a href="http://www.axs.tv/" target="_blank">AXS.tv</a><br>8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
<br><a href="mailto:jbucks@coloradostudios.com" target="_blank">jbucks@coloradostudios.com</a> Direct 303-542-5520