DHCPv6 and DDNS

Philippe Clérié philippe at gcal.net
Sat Jun 20 21:00:49 UTC 2015


I get your points and in fact I have thought about them. The one reason why I have not pursued them is that I would have expected some trace in syslog of any attempt at communication between DHCPv6 and BIND. There is nothing ... 😕

Another point is that ISC creates the DUID from the MAC address and a time value. The DUID for v4 and v6 might differ. But we should still see a trace in the logs if and when an attempt is made to update DNS.

Note: I am using the MAC as client ID for both v4 and v6. It is permitted I believe. Second, I am using standard style not interim. But that does not invalidate your argument.

Last, as soon as I'm back I'll try your test procedure. 😀 I should have thought of that. 😊

At this point though, I'm beginning to suspect that the v6 server is broken in some weird way.


Thanks

The trouble with common sense is that it is so uncommon.

On Jun 20, 2015 14:22, "Nicolas C." <dhcp at nryc.fr> wrote:
>
> Le 19/06/2015 02:48, Philippe Clérié a écrit : 
> > On 06/18/2015 01:38 PM, Nicolas C. wrote: 
> >> 
> >> Hello Philippe, 
> >> 
> >> Maybe the problem isn't on the servers sides. Keep in mind that, in 
> >> order to work, the CLIENT has to use the same identifier for DHCPv4 and 
> >> DHCPv6 transactions (RFC 4361). 
> > 
> > Ok! But I do not want the clients to update DNS. I want DHCP to take 
> > care of that. 
>
> When the DHCP server is doing the DDNS update, it has to authenticate 
> one way or the other the client. If not, what would happened if two 
> clients were using the same hostname ? 
>
> This is called "conflict-detection" : the client provides a hostname and 
> an identifier (historically client-identifier with DHCPv4, DUID with 
> DHCPv6), the DHCP server provides an IP address to the client and it 
> does the DDNS work only after validating that there are no conflicts 
> (duplicates) with the hostname. 
>
> >> That means that the client must run a recent version of ISC-DHCP and the 
> >> DHCPv6 and DHCPv4 should be configured to both use the DUID has 
> >> identifier. 
> >> 
> > Debian uses by default ISC's DHCP client. In this case version 4.3.1. 
> > That should be recent enough I think. Since I did nothing on the client 
> > side, and since my test clients are getting their addresses, static and 
> > dynamic, correctly assigned, I presume the clients are not the problem. 
>
> Yes but the correct use of the same identifier by both DHCPv4/6 client 
> is the answer to your problem. 
>
> Apparently, you need to use the "-i" option of "dhclient" : 
>
> "Use a DUID with DHCPv4 clients. If no DUID is available in the lease 
> file one will be constructed and saved. The DUID will be used to 
> construct a RFC4361 style client id that will be included in the 
> client’s messages. This client id can be overridden by setting a client 
> id in the configuration file. Overridding the client id in this fashion 
> is discouraged." 
>
> >> This is not a problem for the DHCPv6 client but using the DUID instead 
> >> of the client-identifier on DHCPv4 may require some tweaking on the 
> >> client OS. 
> >> 
> >> If you understand French, I wrote an article and did a presentation on 
> >> this topic : 
> >> 
> >> https://conf-ng.jres.org/2013/planning.html#article_27 
> >> 
> > 
> > I took a quick look (I'm rushed! Got to take a plane tomorrow!). Anyway, 
> > it seems to me that you had to make up a solution and you did not use 
> > whatever built-in facility there is in the DHCP server. 
>
> We had to workaround because our clients are mostly Windows workstations 
> and printers. If we had only Linux Debian clients we would have used 
> DHCPv4 + DHCPv6 has you are trying to do. 
>
> One test that you can do is : 
>
>   - Configure the client with DHCPv4 only 
>   - See what records are added to the forward DNS zone (normally you'll 
> end up with one "A" holding the IPv4 address and one "TXT" holding the 
> hash of the DHCPv4 identifier) 
>   - Stop the DHCPv4 client, clean the records 
>   - Configure the client with DHCPv6 only 
>   - See what records are added to the forward DNS zone (normally you'll 
> end up with one "AAAA" holding the IPv6 address and one "TXT" holding 
> the hash of the DHCPv6 identifier) 
>
> Compare the content of the TXT record, it must be the same in both cases. 
>
> Regards, 
>
> Nicolas C. 
> _______________________________________________ 
> dhcp-users mailing list 
> dhcp-users at lists.isc.org 
> https://lists.isc.org/mailman/listinfo/dhcp-users 


More information about the dhcp-users mailing list