Feature questions
Jason Gerfen
jason.gerfen at scl.utah.edu
Wed Sep 24 14:14:32 UTC 2008
Glenn Satchell wrote:
>> Date: Tue, 23 Sep 2008 11:06:08 -0600
>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>> To: dhcp-users at isc.org
>> Subject: Re: Feature questions
>>
>> So my next question is in regards to providing zone or dns zone options
>> without the use of dnssec? Is this a valid example?
>
> If you don't use keys then you need to allow updates by IP address. See
> examples below.
>
> Allowing this means, for example, that any user on that box could use
> nsupdate to modify your zone files. Using keys is much safer.
>
> If you find that dns updates are no tworking you will need to enable
> named logging and look to see what the problem is. dhcp will return
> something like 'dns update times out'.
>
> named.conf?
Named.conf? According to the documentation I have read regarding dhcpd
and dns updates these are directives I am using in the dhcpd.conf file.
Is this wrong?
>> #### DNS Zone Definitions ####
>> zone "test.com" {
>> type master;
>> file "mmctest.zone";
> allow-update { localhost; };
>> };
>> zone "xxx.xxx.xxx.xxx.in-addr.arpa" {
>> type master;
>> file "test.zone";
> allow-update { localhost; };
>> };
>
>
> dhcpd.conf?
>> zone test {
>> primary 127.0.0.1;
>> }
>> zone xxx.xxx.xxx.xxx.in-addr.arpa {
>> primary 127.0.0.1;
>> }
>
> regards,
> -glenn
>> Glenn Satchell wrote:
>>> Hi Jason
>>>
>>> Check the dhcpd.conf man page (man dhcpd.conf) and scroll down to the
>>> section titled "DYNAMIC DNS UPDATE SECURITY" and follow the examples
>>> there.
>>>
>>> You need to generate your passphrase using dnssec-keygen, you can't
>>> just pick an arbitrary group of letters as it is base64 encoded.
>>>
>>> Also dhcpd.conf configuration is not the same as named.conf, for
>>> example quotes are used differently. The reference above has examples
>>> for both named.conf and dhcpd.conf.
>>>
>>> regards,
>>> -glenn
>>>
>>>
>>>> Date: Mon, 22 Sep 2008 07:35:33 -0600
>>>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>>> To: dhcp-users at isc.org
>>>> Subject: Feature questions
>>>>
>>>> I have read the documentation regarding the use of DNSSEC and also
>>>> utilizing DNS zone files within the dhcpd.conf. I am in need of a
>>>> 'second set of eyes' in regards to my current configuration for these
>>>> options as well as for the failover configuration syntax.
>>>>
>>>> If any one could assist me with this I would appreciate it.
>>>>
>>>> #### DNSSEC Key Definitions ####
>>>> key test {
>>>> algorithm DSA;
>>>> secret passphrase;
>>>> }
>>>>
>>>> #### DNS Zone Definitions ####
>>>> zone "scl.utah.edu" {
>>>> type master;
>>>> file "mmctest.zone";
>>>> allow-update { key test; };
>>>> };
>>>> zone "145.17.97.155.in-addr.arpa" {
>>>> type master;
>>>> file "mmctest.zone";
>>>> allow-update { key test; };
>>>> };
>>>> zone scl.utah.edu {
>>>> primary 127.0.0.1;
>>>> key test;
>>>> }
>>>> zone 145.17.97.155.in-addr.arpa {
>>>> primary 127.0.0.1;
>>>> key test;
>>>> }
>>>>
>>>> #### Failover configuration ####
>>>> failover peer "tyr" {
>>>> primary;
>>>> address 155.97.17.166;
>>>> port 519;
>>>> peer address 155.97.16.253;
>>>> peer port 520;
>>>> max-response-delay 60;
>>>> max-unpacked-updates 10;
>>>> mclt 300;
>>>> split 128;
>>>> load balance max seconds 3;
>>>> }
>>>>
>>>> The reason I am asking is because with this configuration (which look
>>>> accurate according to the RFC documentation I have read) I receive some
>>>> errors when restarting the dhcpd service. Details below:
>>>>
>>>> dhcpd.conf line 24: partial base64 value left over: 14.
>>>> secret passphrase;
>>>>
>>>> dhcpd.conf line 28: expecting hostname.
>>>> zone "scl.utah.edu"
>>>>
>>>> dhcpd.conf line 32: expecting a parameter or declaration
>>>> };
>>>>
>>>> /dhcpd.conf line 33: expecting hostname.
>>>> zone "145.17.97.155.in-addr.arpa"
>>>>
>>>> dhcpd.conf line 37: expecting a parameter or declaration
>>>> };
>>>>
>>>> dhcpd.conf line 55: invalid statement in peer declaration
>>>> max-unpacked-updates
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
--
Jason Gerfen
More information about the dhcp-users
mailing list