DHCP+BIND+DDNS, reverse creation timeout

Greg Sloop <gregs@sloop.net> gregs at sloop.net
Wed Jul 24 21:27:34 UTC 2013


Finally: I'm still not sure what is wrong, but I'd forgotten about
changing, as suggested, the [allow-update { any; };] from "key" to "any".
[Thanks Glenn S.]

Changing it to "any" fixed it.

So, clearly there is something borked about the key, but what?
How could updates work for the somedom.local zone - using the same options,
but fail for the reverse zone?

If the key was bad, it should fail creating the forward map, as well as the
reverse?

Jeepers!!!

So, now that we know it is key related, any tips on how to trouble-shoot
and identify what's going wrong?

-Greg


On Wed, Jul 24, 2013 at 9:41 AM, Gregory Sloop <gregs at sloop.net> wrote:

> Continuing top posting.
>
> So, just to start fresh - I blew away all the BIND data - the journal
> files etc. Same with DHCPd. [everything in /var/lib/bind and
> /var/lib/dhcp]
>
> Recreated the named.conf and named.conf.local
> Recreated the zone files.
>
> Recreated the dhcpd.conf
>
> I moved the key [as suggested] to above the "include" statements in the
> named.conf
> ---
>
> Started just BIND.
>
> Then did some tests, working with reverses.
>
> ---
> nsupdate -k /etc/bind/rndc.key
> server 10.1.0.5
> zone 0.1.10.in-addr.arpa
> update add 4.0.1.10.in-addr.arpa 60 PTR blah2.somedom.local.
> send
>
> host 10.1.0.4
> > "4.0.1.10.in-addr.arpa domain name pointer blah2.somedom.local."
>
> nsupdate -k /etc/bind/rndc.key
> server 10.1.0.5
> zone 0.1.10.in-addr.arpa
> update delete 4.0.1.10.in-addr.arpa
> send
>
> root at dns-dhcp-01:/etc/dhcp# host 10.8.20.4
> Host 4.20.8.10.in-addr.arpa. not found: 3(NXDOMAIN)
> ---
>
> So, I can create/remove/update the reverse zone fine.
>
> Then I start dhcpd again and grab a lease. Same issue. DHCPd reports I
> can create the forward fine, but the reverse times out.
>
> The key in rndc.key, as well as in DHCPd.conf and named.conf are all
> identical.
>
> ---
> Things I've tried since my last post:
> -Changing the quoting of the key in named.conf
> -Changing the [key "rndc-key"] to [key rndc-key] in dhcpd.conf
> -Changing to a 128bit key instead of 512. [HMAC/MD5 in both cases]
> -Verify that the key in the file "rndc.key" as well as the keys in
> named.conf and dhcpd.conf are all truly the same. They are.
>
> None of these seem to resolve the issue.
>
> ---
> Can someone give some pointers? I'm totally baffled!
>
> I'm glad to give any needed information - but nothing has really
> changed in the conf files given below.
>
> Thanks!
> -Greg
>
> ---
> GS> Hi Greg
>
> GS> It's not something like moving the rndc-key definition so that it is
> GS> before you include named.conf.local?
>
> GS> Otherwise there are example configs in the dhcpd.conf man page, scroll
> GS> down to DYNAMIC DNS section. The only difference I can see is that the
> key
> GS> does not have quotes around the value. Though if the forward map is
> GS> working then I don't think this would be the problem.
>
> GS> Can you update the zone using nsupdate and the key? This might give
> you a
> GS> better error message.
>
> GS> Another test is to temporarily configure bind to allow update from the
> GS> dhcp server's ip address. This will eliminate the key as a problem.
> Bind
> GS> seems to silently ignore updates which use the wrong key, so double
> check
> GS> the key is the same in named.conf and dhcpd.conf.
>
> GS> regards,
> GS> -glenn
>
> GS> named.conf
> GS> ---
> GS> include "/etc/bind/named.conf.options";
> GS> include "/etc/bind/named.conf.local";
> GS> include "/etc/bind/named.conf.default-zones";
>
> GS> #512 bit key
> GS> key "rndc-key" {
>
> GS> On Wed, July 24, 2013 3:39 pm, Greg Sloop <gregs at sloop.net> wrote:
> >> I'm about to go insane. It's probably an obvious problem, but for the
> life
> >> of me, I can't find it.
> >>
> >> I'm trying to setup Bind9 + DHCPd + DDNS (forward and reverses)
> >> I've got DHCP working for multiple subnets etc, and doing BIND DDNS
> >> updates, at least for forward records.
> >>
> >> I get the following in the logs:
> >> ---
> >> Jul 23 20:17:17 dns-dhcp-01 dhcpd: Added new forward map from
> >> ABCD-R61.somedom.local to 10.1.0.221
> >> Jul 23 20:17:18 dns-dhcp-01 dhcpd: unable to add reverse map from
> >> 221.0.1.10.in-addr.arpa. to ABCD-R61.somedom.local: timed out
> >> ---
> >>
> >> Turning up the verbosity level in BIND to debug doesn't produce anything
> >> useful I can find. The DHCP logs don't shed any more light on things
> >> either.
> >> [Perhaps it does produce useful stuff but, if so, I can not find it.]
> >>
> >> Here's the environment.
> >> Ubuntu 12.04 [Running in a VM, with the eth interface bridged - though
> it
> >> shouldn't matter, it's VirtualBox]
> >> DHCPd 4.1-R4
> >> BIND 9.8.1-P1
> >> Both standard Ubuntu packages, installed from the Ubuntu repositories.
> >>
> >> Here are my configs:
> >> ---
> >> /etc/bind/named.conf.local
> >> ---
> >> // Do any local configuration here
> >> //
> >>
> >> // Consider adding the 1918 zones here, if they are not used in your
> >> // organization
> >> //include "/etc/bind/zones.rfc1918";
> >>
> >> acl "local-nets" {
> >> 10.1.0.0/22;
> >> };
> >>
> >> acl "dns-dhcp-servers" {
> >> 10.1.0.5; 10.1.0.6;
> >> };
> >>
> >> zone "somedom.local" {
> >>         type master;
> >>         file "/var/lib/bind/somedom.local.hosts";
> >> // update-policy { grant rndc-key zonesub ANY; };
> >> allow-update { key rndc-key; };
> >>         };
> >>
> >> zone "0.1.10.in-addr.arpa" {
> >>         type master;
> >>         file "/var/lib/bind/10.1.0.rev";
> >> //update-policy { grant rndc-key zonesub ANY; };
> >> allow-update { key rndc-key; };
> >> allow-query { any; };
> >>         };
> >>
> >> zone "1.1.10.in-addr.arpa" {
> >>         type master;
> >>         file "/var/lib/bind/10.1.1.rev";
> >> //update-policy { grant rndc-key zonesub ANY; };
> >> allow-update { key rndc-key; };
> >>         };
> >>
> >> zone "2.1.10.in-addr.arpa" {
> >>         type master;
> >>         file "/var/lib/bind/10.1.2.rev";
> >> //update-policy { grant rndc-key zonesub ANY; };
> >> allow-update { key rndc-key; };
> >>         };
> >>
> >> logging {
> >>     channel default_file {
> >>         file "/var/log/named/default.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel general_file {
> >>         file "/var/log/named/general.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel database_file {
> >>         file "/var/log/named/database.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel security_file {
> >>         file "/var/log/named/security.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel config_file {
> >>         file "/var/log/named/config.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel resolver_file {
> >>         file "/var/log/named/resolver.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel xfer-in_file {
> >>         file "/var/log/named/xfer-in.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel xfer-out_file {
> >>         file "/var/log/named/xfer-out.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel notify_file {
> >>         file "/var/log/named/notify.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel client_file {
> >>         file "/var/log/named/client.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel unmatched_file {
> >>         file "/var/log/named/unmatched.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel queries_file {
> >>         file "/var/log/named/queries.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel network_file {
> >>         file "/var/log/named/network.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel update_file {
> >>         file "/var/log/named/update.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel dispatch_file {
> >>         file "/var/log/named/dispatch.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel dnssec_file {
> >>         file "/var/log/named/dnssec.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>     channel lame-servers_file {
> >>         file "/var/log/named/lame-servers.log" versions 3 size 5m;
> >>         //severity dynamic;
> >> severity debug 3;
> >>         print-time yes;
> >>     };
> >>
> >>     category default { default_file; };
> >>     category general { general_file; };
> >>     category database { database_file; };
> >>     category security { security_file; };
> >>     category config { config_file; };
> >>     category resolver { resolver_file; };
> >>     category xfer-in { xfer-in_file; };
> >>     category xfer-out { xfer-out_file; };
> >>     category notify { notify_file; };
> >>     category client { client_file; };
> >>     category unmatched { unmatched_file; };
> >>     category queries { queries_file; };
> >>     category network { network_file; };
> >>     category update { update_file; };
> >>     category dispatch { dispatch_file; };
> >>     category dnssec { dnssec_file; };
> >>     category lame-servers { lame-servers_file; };
> >> };
> >>
> >> ---
> >> The zone file for the problem zone above. [There are three zones, but
> I'm
> >> having the problem in this zone I haven't tested the others, but if I
> get
> >> this zone working, I'm sure the others will work too. So I'll just give
> >> this one zone.]
> >> *** /var/lib/bind/10.1.0.rev
> >> ---
> >> ;#/var/lib/bind/10.1.0.rev
> >> $ttl 38400
> >> 0.1.10.in-addr.arpa. IN      SOA     dns-dhcp-01. root.somedom.com. (
> >>                         2013072301 ;serial
> >>                         10800 ;slave-refresh, 3h
> >>                         3600 ;slave-retry, update, 1h
> >>                         604800 ;slave-expire,  7d
> >>                         120  ;minimum [negative response TTL], 2m
> >>                         )
> >> 0.1.10.in-addr.arpa. IN      NS      dns-dhcp-01.somedom.local.
> >> 0.1.10.in-addr.arpa. IN      NS      dns-dhcp-02.somedom.local.
> >>
> >> ---
> >>
> >> *** The DHCPd.conf file
> >> ---
> >> authoritative;
> >>
> >> key "rndc-key" {
> >>       algorithm hmac-md5;
> >>       secret "SOMESECRET";
> >> };
> >>
> >> ddns-update-style interim;
> >> ddns-domainname "somedom.local";
> >>
> >> log-facility local7;
> >> log debug;
> >>
> >> option time-offset              -18000; # Pacific Standard Time
> >> one-lease-per-client off;
> >>
> >> use-host-decl-names on;
> >> option ntp-servers time.somedom.local;
> >> option time-servers time.somedom.local;
> >> option domain-name-servers 10.1.0.5, 10.1.0.6;
> >> option domain-name "somedom.local";
> >> option netbios-name-servers 10.1.0.17;
> >> option routers 10.1.0.190;
> >>
> >> #1h lease
> >> default-lease-time 3600;
> >> max-lease-time 3600;
> >> option ip-forwarding off;
> >>
> >> zone somedom.local. {
> >>         primary 10.1.0.5;
> >>         key rndc-key;
> >> }
> >>
> >> zone 0.1.10.in-addr.arpa. {
> >>         primary 10.1.0.5;
> >>         key rndc-key;
> >> }
> >>
> >> zone 1.1.10.in-addr.arpa. {
> >>         primary 10.1.0.5;
> >>         key rndc-key;
> >> }
> >>
> >> zone 2.1.10.in-addr.arpa. {
> >>         primary 10.1.0.5;
> >>         key rndc-key;
> >> }
> >>
> >> # Subnet for internal hosts
> >>     subnet 10.1.0.0 netmask 255.255.255.0 {
> >>         option routers                  10.1.0.190;
> >>         option subnet-mask              255.255.255.0;
> >>
> >>             # block unknowns for .60 - .113
> >>                 pool    {
> >>                                 range 10.1.0.60 10.1.0.113;
> >>                                 allow unknown-clients;
> >>                                 }
> >>                 # block unknowns for 10.1.0.114 - .115
> >>                 pool    {
> >>                                 range 10.1.0.114 10.1.0.114;
> >>                                 deny unknown-clients;
> >>                                 }
> >>                 # allow unknowns for 10.1.0.115 - .153
> >>                 pool    {
> >>                                 range 10.1.0.115 10.1.0.153;
> >>                                 allow unknown-clients;
> >>                                 }
> >>                 # block unknowns for 10.1.0.154 - .194
> >>                 pool    {
> >>                                 range 10.1.0.154 10.1.0.194;
> >>                                 deny unknown-clients;
> >>                                 }
> >>                 # allow unknowns for 10.1.0.195 - .222
> >>                 pool    {
> >>                                 range 10.1.0.195 10.1.0.222;
> >>                                 allow unknown-clients;
> >>                                 }
> >>                 # block unknowns for 10.1.0.223 - .254
> >>                 pool    {
> >>                                 range 10.1.0.223 10.1.0.254;
> >>                                 deny unknown-clients;
> >>                                 }
> >>     }
> >>
> >>     subnet 10.1.1.0 netmask 255.255.255.0 {
> >>         option routers                  10.1.1.1;
> >>         option subnet-mask              255.255.255.0;
> >>         pool {
> >>                         #failover peer "dhcp-failover";
> >>                         max-lease-time 14400;
> >>                         range 10.1.1.21 10.1.1.240;
> >> allow unknown-clients;
> >>                 }
> >>     }
> >>
> >>     subnet 10.1.2.0 netmask 255.255.255.0 {
> >>         option routers                  10.1.2.1;
> >>         option subnet-mask              255.255.255.0;
> >>                 pool {
> >>                         #failover peer "dhcp-failover";
> >>                         max-lease-time 14400;
> >>                         range 10.1.2.50 10.1.2.250;
> >> allow unknown-clients;
> >>                 }
> >>     }
> >>
> >>
> >> ---
> >> named.conf
> >> ---
> >> include "/etc/bind/named.conf.options";
> >> include "/etc/bind/named.conf.local";
> >> include "/etc/bind/named.conf.default-zones";
> >>
> >> #512 bit key
> >> key "rndc-key" {
> >>       algorithm hmac-md5;
> >>       secret "SOMESECRET";
> >> };
> >>
> >> controls {
> >>       inet 127.0.0.1 port 953
> >>               allow { 127.0.0.1; } keys { "rndc-key"; };
> >>
> >>       inet 10.1.0.5 port 953
> >>               allow { 127.0.0.1; } keys { "rndc-key"; };
> >> };
> >> ---
> >>
> >> To keep the clutter down, I won't give any more config files:
> >> But syntax checks of both the BIND and DHCPd config files is clean, and
> >> both BIND and DHCPd appear to load and run fine.
> >> The only problem I have is the failed [timed out] problem for creating
> the
> >> PTR record for the reverse.
> >>
> >> I've spent hours on this, looking the docs, examples, google-foo, and
> >> more.
> >> I'm quite sure it's something stupid, but as I said above, I can't find
> it
> >> and I'm desperate!
> >>
> >> TIA
> >> -Greg
> >> _______________________________________________
> >> dhcp-users mailing list
> >> dhcp-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> GS> _______________________________________________
> GS> dhcp-users mailing list
> GS> dhcp-users at lists.isc.org
> GS> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20130724/1e826ddd/attachment-0001.html>


More information about the dhcp-users mailing list