Fwd: ddns-updates off; within pool doesn't work
Alexei V. Schukin
alex.v.schukin at gmail.com
Tue Jun 3 16:39:21 UTC 2014
Thanks for the detailed explanations, Glenn!
I have tested configuration from your message by dhcpd -t but the daemon
thrown me the following error:
-----------------------------------------------------------------------------------------------
dhcpd -t -cf /etc/dhcp/dhcpd.conf
-----------------------------------------------------------------------------------------------
Internet Systems Consortium DHCP Server 4.1.1-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
WARNING: Host declarations are global. They are not limited to the scope
you declared them in.
/etc/dhcp/dhcpd.conf line 76: expecting permit type.
allow client-updates;
^
/etc/dhcp/dhcpd.conf line 77: semicolon expected.
range
^
Configuration file errors encountered -- exiting
This version of ISC DHCP is based on the release available
on ftp.isc.org. Features have been added and other changes
have been made to the base software release in order to make
it work better with this distribution.
Please report for this software via the CentOS Bugs Database:
http://bugs.centos.org/
exiting.
------------------------------------------------------------------------------------------------
Obviously, it don't like "allow client-updates" option inside pool
definition.
After my experiments most acceptable configuration looks like this:
-----------------------------------------------------------------------------------------------
dhcpd.conf
------------------------------------------------------------------------------------------------
authoritative;
ddns-update-style interim;
ddns-updates off;
deny unknown-clients;
update-static-leases off;
deny client-updates;
ddns-domainname "example.com";
allow booting;
allow bootp;
next-server 192.168.0.21;
filename "pxelinux.0";
option root-path "192.168.0.21:/tftpboot";
option ntp-servers 192.168.0.1;
one-lease-per-client on;
option domain-name "example.com";
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option broadcast-address 192.168.0.255;
allow client-updates;
allow unknown-clients;
# range for foreman
# 192.168.0.5 192.168.0.50
# dynamic address pool
pool {
ddns-updates on;
range 192.168.0.100 192.168.0.130;
}
# group for static host
group {
ddns-updates on;
deny client-updates;
use-host-decl-names on;
update-static-leases on;
host static-host {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.0.132;
ddns-hostname "static-host";
}
...
}
}
...
------------------------------------------------------------------------------------------------
It seems works fine, except "update-static-leases" option, cause everytime
after removing host definition from configuration files, I should clean up
my dns zones manually. Unfortunately, I didn't find more elegant solution
yet.
--
Best wishes,
Alex
2014-05-19 19:11 GMT+04:00 Glenn Satchell <glenn.satchell at uniq.com.au>:
> Hi Alex
>
> The lease created by the omshell commands is a host statement, that is
> it's a static lease. so it is not part of the pool of dynamic leases where
> you have turned off ddns-updates, even though the Ip address happens to be
> in the pool's dynamic range.
>
> Probably the right way to fix this is to remove that pool altogether and
> put the commands in the subnet, but you don't need the range statement for
> 192.168.0.5 192.168.0.50. The host statement will inherit settings from
> the subnet, but not from the pool. You could use a pool for the range
> 192.168.0.100 192.168.0.130 if you wanted different behaviour for those
> addresses.
>
> The range statement is for the dhcp server to allocate addresses itself.
> That function is being controlled by foreman, so you have two things
> conflicting with each other.
>
> By the way, no modern dhcp clients need dynamic-bootp setting for range
> these days. aLl that does is emulate bootp by allocating leases that never
> expire, so you will eventually run out of IPs due to old systems that are
> long gone still having anIp lease held for them.
>
> Perhaps something like this. Note I haven't tried this, so there may be
> syntax errors, etc, but hope this shows what I was trying to say above.
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
>
> ddns-updates off;
> ignore client-updates;
> update-static-leases off;
>
> pool {
> range 192.168.0.100 192.168.0.130;
> ddns-updates on;
> allow client-updates;
> }
>
> option broadcast-address 192.168.0.255;
> option domain-name-servers 192.168.0.1;
> option domain-name "example.com";
> option routers 192.168.0.1;
> default-lease-time 86400;
> max-lease-time 172800;
> ...
> }
>
> regards,
> -glenn
>
> On Tue, May 20, 2014 12:45 am, Alexei V. Schukin wrote:
> > Peter, thanks for the reply.
> >
> > I'm trying to make friendship Foreman + DHCP (ddns updates) + BIND.
> >
> > DHCPD had configuration below, when I tested it work at last time.
> >
> > =============
> > dhcpd.conf
> > =============
> >
> > authoritative;
> > ddns-update-style interim;
> > ddns-updates on;
> > ddns-domainname "example.com";
> > allow booting;
> > allow bootp;
> > next-server 192.168.0.21;
> > filename "pxelinux.0";
> > option root-path "192.168.0.21:/tftpboot";
> > option ntp-servers 192.168.0.1;
> > allow unknown-clients;
> > update-static-leases on;
> >
> > subnet 192.168.0.0 netmask 255.255.255.0 {
> > pool {
> > range 192.168.0.5 192.168.0.50;
> > deny unknown-clients;
> > ddns-updates off;
> > ddns-update-style none;
> > ignore client-updates;
> > update-static-leases off;
> > }
> >
> > range dynamic-bootp 192.168.0.100 192.168.0.130;
> > option domain-name-servers 192.168.0.1;
> > option domain-name "example.com";
> > option routers 192.168.0.1;
> > option broadcast-address 192.168.0.255;
> > allow client-updates;
> > default-lease-time 86400;
> > max-lease-time 172800;
> > ...
> > }
> >
> > ...
> >
> > -----------------
> >
> >
> > This is the rude scheme of interaction between services:
> >
> > ​
> > __________ _________________________________
> > | | | |
> > | Host 1 | | Host 2 |
> > | | | (1) |
> > | Foreman | --> | Foreman-Proxy ------> DHCPD |
> > |_________| | | omshell |
> > | (2) | |
> > | | nsupdate |
> > | + |
> > | BIND |
> > |_________________________________|
> >
> > 0. Creating host in Foreman...
> > 1. The Foreman tells foreman-proxy to reserve address for a new host via
> > omshell (1)
> >
> > =================================
> > /var/log/foreman-proxy/proxy.log
> > =================================
> > D, [2014-05-15T19:47:03.286591 #7893] DEBUG -- : Lazy loaded
> > 192.168.0.0/255.255.255.0 records
> > D, [2014-05-15T19:47:03.287669 #7893] DEBUG -- : Added
> > example-04.example.com (192.168.0.25 / 00:50:56:90:72:22) to
> > 192.168.0.0/255.255.255.0
> > D, [2014-05-15T19:47:03.288907 #7893] DEBUG -- : omshell: executed - set
> > name = "example-04.example.com"
> > D, [2014-05-15T19:47:03.289097 #7893] DEBUG -- : true
> > D, [2014-05-15T19:47:03.289254 #7893] DEBUG -- : omshell: executed - set
> > ip-address = 192.168.0.25
> > D, [2014-05-15T19:47:03.289360 #7893] DEBUG -- : true
> > D, [2014-05-15T19:47:03.289510 #7893] DEBUG -- : omshell: executed - set
> > hardware-address = 00:50:56:90:72:22
> > D, [2014-05-15T19:47:03.289652 #7893] DEBUG -- : true
> > D, [2014-05-15T19:47:03.289819 #7893] DEBUG -- : omshell: executed - set
> > hardware-type = 1
> > D, [2014-05-15T19:47:03.289933 #7893] DEBUG -- : true
> > D, [2014-05-15T19:47:03.290285 #7893] DEBUG -- : omshell: executed - set
> > statements = "filename = \"pxelinux.0\"; next-server = c0:a8:00:cf;
> option
> > host-name = \"example-04.example.com\";"
> > D, [2014-05-15T19:47:03.290396 #7893] DEBUG -- : true
> > D, [2014-05-15T19:47:03.290548 #7893] DEBUG -- : omshell: executed -
> > create
> > D, [2014-05-15T19:47:03.290700 #7893] DEBUG -- : true
> > I, [2014-05-15T19:47:03.315293 #7893] INFO -- : Added DHCP reservation
> > for
> > example-04.example.com (192.168.0.25 / 00:50:56:90:72:22)
> > ---------------------------------
> >
> > ==================
> > /var/log/messages
> > ==================
> > May 15 19:47:36 ns dhcpd: DHCPOFFER on 192.168.0.25 to 00:50:56:90:72:22
> > via eth1
> > May 15 19:47:38 ns dhcpd: Dynamic and static leases present for
> > 192.168.0.25.
> > May 15 19:47:38 ns dhcpd: Remove host declaration example-04.example.com
> > or
> > remove 192.168.0.25
> > May 15 19:47:38 ns dhcpd: from the dynamic address pool for
> 192.168.0.0/24
> > May 15 19:47:38 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1) from
> > 00:50:56:90:72:22 via eth1
> > May 15 19:47:38 ns dhcpd: DHCPACK on 192.168.0.25 to 00:50:56:90:72:22
> via
> > eth1
> > ------------------
> >
> > ==========================
> > /var/lib/dhcp/dhcpd.leases
> > ==========================
> > host example-04.example.com {
> > dynamic;
> > hardware ethernet 00:50:56:90:72:22;
> > fixed-address 192.168.0.25;
> > supersede server.filename = "pxelinux.0";
> > supersede server.next-server = c0:a8:00:cf;
> > supersede host-name = "example-04.example.com";
> > }
> > --------------------------
> >
> >
> >
> > 2. The Foreman tells foreman-proxy to create A and PTR records at BIND's
> > zones for a new host via nsupdate (2)
> >
> > =================================
> > /var/log/foreman-proxy/proxy.log
> > =================================
> > D, [2014-05-15T19:47:03.464086 #7893] DEBUG -- : running
> /usr/bin/nsupdate
> > -k /etc/foreman-proxy/foreman_proxy.key
> > D, [2014-05-15T19:47:03.465195 #7893] DEBUG -- : nsupdate: executed -
> > server 127.0.0.1
> > D, [2014-05-15T19:47:03.470943 #7893] DEBUG -- : nsupdate: executed -
> > update add example-04.example.com. 86400 A 192.168.0.25
> > D, [2014-05-15T19:47:03.658748 #7893] DEBUG -- : running
> /usr/bin/nsupdate
> > -k /etc/foreman-proxy/foreman_proxy.key
> > D, [2014-05-15T19:47:03.659858 #7893] DEBUG -- : nsupdate: executed -
> > server 127.0.0.1
> > D, [2014-05-15T19:47:03.662425 #7893] DEBUG -- : nsupdate: executed -
> > update add 25.0.168.192.in-addr.arpa. 86400 IN PTR
> > example-04.example.com.
> > ---------------------------------
> >
> > ===================
> > /var/lib/named.run
> > ===================
> > 15-May-2014 19:47:03.474 update: info: client 127.0.0.1#1904: updating
> > zone
> > 'example.com/IN': adding an RR at 'example-04.example.com' A
> > 15-May-2014 19:47:03.669 update: info: client 127.0.0.1#34958: updating
> > zone '0.168.192.in-addr.arpa/IN': adding an RR at
> > '25.0.168.192.in-addr.arpa' PTR
> >
> >
> > 3. When host completely configured, it try to boot by pxe:
> >
> > ===========================
> > /var/log/messages
> > ===========================
> > May 15 19:48:11 ns dhcpd: DHCPDISCOVER from 00:50:56:90:72:22 via eth1
> > May 15 19:48:11 ns dhcpd: DHCPOFFER on 192.168.0.25 to 00:50:56:90:72:22
> > via eth1
> > May 15 19:48:11 ns dhcpd: Dynamic and static leases present for
> > 192.168.0.25.
> > May 15 19:48:11 ns dhcpd: Remove host declaration example-04.example.com
> > or
> > remove 192.168.0.25
> > May 15 19:48:11 ns dhcpd: from the dynamic address pool for
> 192.168.0.0/24
> > May 15 19:48:11 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1) from
> > 00:50:56:90:72:22 via eth1
> > May 15 19:48:11 ns dhcpd: DHCPACK on 192.168.0.25 to 00:50:56:90:72:22
> via
> > eth1
> >
> >
> > 4. When host starts to configure its network interface and received
> > address, dhcpd initiates update bind's zones (I hope I understand this
> > mechanism properly):
> >
> > ===========================
> > /var/log/messages
> > ===========================
> > May 15 19:48:20 ns dhcpd: DHCPDISCOVER from 00:50:56:90:72:22 via eth1
> > May 15 19:48:20 ns dhcpd: DHCPOFFER on 192.168.0.25 to 00:50:56:90:72:22
> > via eth1
> > May 15 19:48:20 ns dhcpd: Dynamic and static leases present for
> > 192.168.0.25.
> > May 15 19:48:20 ns dhcpd: Remove host declaration example-04.example.com
> > or
> > remove 192.168.0.25
> > May 15 19:48:20 ns dhcpd: from the dynamic address pool for
> 192.168.0.0/24
> > May 15 19:48:20 ns dhcpd: Added new forward map from
> > example-04.example.com.example.com to 192.168.0.25
> > May 15 19:48:20 ns dhcpd: added reverse map from
> > 25.0.168.192.in-addr.arpa.
> > to example-04.example.com.example.com
> > May 15 19:48:20 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1) from
> > 00:50:56:90:72:22 via eth1
> > May 15 19:48:20 ns dhcpd: DHCPACK on 192.168.0.25 to 00:50:56:90:72:22
> via
> > eth1
> > ---------------------------
> >
> > ===================
> > /var/lib/named.run
> > ===================
> > 15-May-2014 19:48:20.229 update: info: client 192.168.0.1#55653: updating
> > zone 'example.com/IN': adding an RR at
> > 'example-04.example.com.example.com'
> > A
> > 15-May-2014 19:48:20.229 update: info: client 192.168.0.1#55653: updating
> > zone 'example.com/IN': adding an RR at
> > 'example-04.example.com.example.com'
> > TXT
> > 15-May-2014 19:48:20.274 update: info: client 192.168.0.1#38704: updating
> > zone '0.168.192.in-addr.arpa/IN': deleting rrset at
> > '25.0.168.192.in-addr.arpa' PTR
> > 15-May-2014 19:48:20.274 update: info: client 192.168.0.1#38704: updating
> > zone '0.168.192.in-addr.arpa/IN': adding an RR at
> > '25.0.168.192.in-addr.arpa' PTR
> > -------------------
> >
> > So, I can't figure out: if I told dhcpd "do not attempt any updates when
> > the client received address or this is a static lease etc.", why it
> > continue updates zones?
> >
> > Alex
> >
> > 2014-05-12 10:29 GMT+04:00 Peter Rathlev <peter at rathlev.dk>:
> >> On Mon, 2014-04-28 at 17:14 +0400, Alexei V. Schukin wrote:
> >>> I'm trying to exclude one pool of subnet from dynamic updates.
> >> ...
> >>> subnet 192.168.0.1 netmask 255.255.255.0 {
> >>> pool {
> >>> range 192.168.0.10 192.168.0.20;
> >>> deny unknown-clients;
> >>> ddns-updates off;
> >>> ignore client-updates;
> >> ...
> >>> But it doesn't work: dhcpd still updating dns within this address pool.
> >>> What I'm missing?
> >>
> >> Are you sure it's dhcpd that does the updating? Does it say so in the
> >> logs? The above configuration would make the client try updating itself.
> >> It of course needs permission to do this.
> >>
> >> --
> >> Peter
> >>
> >>
> >> _______________________________________________
> >> dhcp-users mailing list
> >> dhcp-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/dhcp-users
> > _______________________________________________
> > dhcp-users mailing list
> > dhcp-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140603/ce95c510/attachment-0001.html>
More information about the dhcp-users
mailing list