<div dir="ltr"><div><div><div><div><div><div>Finally: I'm still not sure what is wrong, but I'd forgotten about changing, as suggested, the [allow-update { any; };] from "key" to "any". [Thanks Glenn S.]<br>
<br></div>Changing it to "any" fixed it. <br><br>So, clearly there is something borked about the key, but what?<br></div>How could updates work for the somedom.local zone - using the same options, but fail for the reverse zone?<br>
<br></div>If the key was bad, it should fail creating the forward map, as well as the reverse?<br><br></div>Jeepers!!!<br><br></div>So, now that we know it is key related, any tips on how to trouble-shoot and identify what's going wrong?<br>
<br></div>-Greg<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 24, 2013 at 9:41 AM, Gregory Sloop <span dir="ltr"><<a href="mailto:gregs@sloop.net" target="_blank">gregs@sloop.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Continuing top posting.<br>
<br>
So, just to start fresh - I blew away all the BIND data - the journal<br>
files etc. Same with DHCPd. [everything in /var/lib/bind and<br>
/var/lib/dhcp]<br>
<br>
Recreated the named.conf and named.conf.local<br>
Recreated the zone files.<br>
<br>
Recreated the dhcpd.conf<br>
<br>
I moved the key [as suggested] to above the "include" statements in the named.conf<br>
---<br>
<br>
Started just BIND.<br>
<br>
Then did some tests, working with reverses.<br>
<br>
---<br>
nsupdate -k /etc/bind/rndc.key<br>
server 10.1.0.5<br>
zone 0.1.10.in-addr.arpa<br>
update add 4.0.1.10.in-addr.arpa 60 PTR blah2.somedom.local.<br>
send<br>
<br>
host 10.1.0.4<br>
> "4.0.1.10.in-addr.arpa domain name pointer blah2.somedom.local."<br>
<br>
nsupdate -k /etc/bind/rndc.key<br>
server 10.1.0.5<br>
zone 0.1.10.in-addr.arpa<br>
update delete 4.0.1.10.in-addr.arpa<br>
send<br>
<br>
root@dns-dhcp-01:/etc/dhcp# host 10.8.20.4<br>
Host 4.20.8.10.in-addr.arpa. not found: 3(NXDOMAIN)<br>
---<br>
<br>
So, I can create/remove/update the reverse zone fine.<br>
<br>
Then I start dhcpd again and grab a lease. Same issue. DHCPd reports I<br>
can create the forward fine, but the reverse times out.<br>
<br>
The key in rndc.key, as well as in DHCPd.conf and named.conf are all<br>
identical.<br>
<br>
---<br>
Things I've tried since my last post:<br>
-Changing the quoting of the key in named.conf<br>
-Changing the [key "rndc-key"] to [key rndc-key] in dhcpd.conf<br>
-Changing to a 128bit key instead of 512. [HMAC/MD5 in both cases]<br>
-Verify that the key in the file "rndc.key" as well as the keys in<br>
named.conf and dhcpd.conf are all truly the same. They are.<br>
<br>
None of these seem to resolve the issue.<br>
<br>
---<br>
Can someone give some pointers? I'm totally baffled!<br>
<br>
I'm glad to give any needed information - but nothing has really<br>
changed in the conf files given below.<br>
<br>
Thanks!<br>
-Greg<br>
<br>
---<br>
GS> Hi Greg<br>
<br>
GS> It's not something like moving the rndc-key definition so that it is<br>
GS> before you include named.conf.local?<br>
<br>
GS> Otherwise there are example configs in the dhcpd.conf man page, scroll<br>
GS> down to DYNAMIC DNS section. The only difference I can see is that the key<br>
GS> does not have quotes around the value. Though if the forward map is<br>
GS> working then I don't think this would be the problem.<br>
<br>
GS> Can you update the zone using nsupdate and the key? This might give you a<br>
GS> better error message.<br>
<br>
GS> Another test is to temporarily configure bind to allow update from the<br>
GS> dhcp server's ip address. This will eliminate the key as a problem. Bind<br>
GS> seems to silently ignore updates which use the wrong key, so double check<br>
GS> the key is the same in named.conf and dhcpd.conf.<br>
<br>
GS> regards,<br>
GS> -glenn<br>
<br>
GS> named.conf<br>
GS> ---<br>
GS> include "/etc/bind/named.conf.options";<br>
GS> include "/etc/bind/named.conf.local";<br>
GS> include "/etc/bind/named.conf.default-zones";<br>
<br>
GS> #512 bit key<br>
GS> key "rndc-key" {<br>
<br>
GS> On Wed, July 24, 2013 3:39 pm, Greg Sloop <<a href="mailto:gregs@sloop.net">gregs@sloop.net</a>> wrote:<br>
>> I'm about to go insane. It's probably an obvious problem, but for the life<br>
>> of me, I can't find it.<br>
>><br>
>> I'm trying to setup Bind9 + DHCPd + DDNS (forward and reverses)<br>
>> I've got DHCP working for multiple subnets etc, and doing BIND DDNS<br>
>> updates, at least for forward records.<br>
>><br>
>> I get the following in the logs:<br>
>> ---<br>
>> Jul 23 20:17:17 dns-dhcp-01 dhcpd: Added new forward map from<br>
>> ABCD-R61.somedom.local to 10.1.0.221<br>
>> Jul 23 20:17:18 dns-dhcp-01 dhcpd: unable to add reverse map from<br>
>> 221.0.1.10.in-addr.arpa. to ABCD-R61.somedom.local: timed out<br>
>> ---<br>
>><br>
>> Turning up the verbosity level in BIND to debug doesn't produce anything<br>
>> useful I can find. The DHCP logs don't shed any more light on things<br>
>> either.<br>
>> [Perhaps it does produce useful stuff but, if so, I can not find it.]<br>
>><br>
>> Here's the environment.<br>
>> Ubuntu 12.04 [Running in a VM, with the eth interface bridged - though it<br>
>> shouldn't matter, it's VirtualBox]<br>
>> DHCPd 4.1-R4<br>
>> BIND 9.8.1-P1<br>
>> Both standard Ubuntu packages, installed from the Ubuntu repositories.<br>
>><br>
>> Here are my configs:<br>
>> ---<br>
>> /etc/bind/named.conf.local<br>
>> ---<br>
>> // Do any local configuration here<br>
>> //<br>
>><br>
>> // Consider adding the 1918 zones here, if they are not used in your<br>
>> // organization<br>
>> //include "/etc/bind/zones.rfc1918";<br>
>><br>
>> acl "local-nets" {<br>
>> <a href="http://10.1.0.0/22" target="_blank">10.1.0.0/22</a>;<br>
>> };<br>
>><br>
>> acl "dns-dhcp-servers" {<br>
>> 10.1.0.5; 10.1.0.6;<br>
>> };<br>
>><br>
>> zone "somedom.local" {<br>
>> type master;<br>
>> file "/var/lib/bind/somedom.local.hosts";<br>
>> // update-policy { grant rndc-key zonesub ANY; };<br>
>> allow-update { key rndc-key; };<br>
>> };<br>
>><br>
>> zone "0.1.10.in-addr.arpa" {<br>
>> type master;<br>
>> file "/var/lib/bind/10.1.0.rev";<br>
>> //update-policy { grant rndc-key zonesub ANY; };<br>
>> allow-update { key rndc-key; };<br>
>> allow-query { any; };<br>
>> };<br>
>><br>
>> zone "1.1.10.in-addr.arpa" {<br>
>> type master;<br>
>> file "/var/lib/bind/10.1.1.rev";<br>
>> //update-policy { grant rndc-key zonesub ANY; };<br>
>> allow-update { key rndc-key; };<br>
>> };<br>
>><br>
>> zone "2.1.10.in-addr.arpa" {<br>
>> type master;<br>
>> file "/var/lib/bind/10.1.2.rev";<br>
>> //update-policy { grant rndc-key zonesub ANY; };<br>
>> allow-update { key rndc-key; };<br>
>> };<br>
>><br>
>> logging {<br>
>> channel default_file {<br>
>> file "/var/log/named/default.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel general_file {<br>
>> file "/var/log/named/general.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel database_file {<br>
>> file "/var/log/named/database.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel security_file {<br>
>> file "/var/log/named/security.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel config_file {<br>
>> file "/var/log/named/config.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel resolver_file {<br>
>> file "/var/log/named/resolver.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel xfer-in_file {<br>
>> file "/var/log/named/xfer-in.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel xfer-out_file {<br>
>> file "/var/log/named/xfer-out.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel notify_file {<br>
>> file "/var/log/named/notify.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel client_file {<br>
>> file "/var/log/named/client.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel unmatched_file {<br>
>> file "/var/log/named/unmatched.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel queries_file {<br>
>> file "/var/log/named/queries.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel network_file {<br>
>> file "/var/log/named/network.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel update_file {<br>
>> file "/var/log/named/update.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel dispatch_file {<br>
>> file "/var/log/named/dispatch.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel dnssec_file {<br>
>> file "/var/log/named/dnssec.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>> channel lame-servers_file {<br>
>> file "/var/log/named/lame-servers.log" versions 3 size 5m;<br>
>> //severity dynamic;<br>
>> severity debug 3;<br>
>> print-time yes;<br>
>> };<br>
>><br>
>> category default { default_file; };<br>
>> category general { general_file; };<br>
>> category database { database_file; };<br>
>> category security { security_file; };<br>
>> category config { config_file; };<br>
>> category resolver { resolver_file; };<br>
>> category xfer-in { xfer-in_file; };<br>
>> category xfer-out { xfer-out_file; };<br>
>> category notify { notify_file; };<br>
>> category client { client_file; };<br>
>> category unmatched { unmatched_file; };<br>
>> category queries { queries_file; };<br>
>> category network { network_file; };<br>
>> category update { update_file; };<br>
>> category dispatch { dispatch_file; };<br>
>> category dnssec { dnssec_file; };<br>
>> category lame-servers { lame-servers_file; };<br>
>> };<br>
>><br>
>> ---<br>
>> The zone file for the problem zone above. [There are three zones, but I'm<br>
>> having the problem in this zone I haven't tested the others, but if I get<br>
>> this zone working, I'm sure the others will work too. So I'll just give<br>
>> this one zone.]<br>
>> *** /var/lib/bind/10.1.0.rev<br>
>> ---<br>
>> ;#/var/lib/bind/10.1.0.rev<br>
>> $ttl 38400<br>
>> 0.1.10.in-addr.arpa. IN SOA dns-dhcp-01. <a href="http://root.somedom.com" target="_blank">root.somedom.com</a>. (<br>
>> <a href="tel:2013072301" value="+12013072301">2013072301</a> ;serial<br>
>> 10800 ;slave-refresh, 3h<br>
>> 3600 ;slave-retry, update, 1h<br>
>> 604800 ;slave-expire, 7d<br>
>> 120 ;minimum [negative response TTL], 2m<br>
>> )<br>
>> 0.1.10.in-addr.arpa. IN NS dns-dhcp-01.somedom.local.<br>
>> 0.1.10.in-addr.arpa. IN NS dns-dhcp-02.somedom.local.<br>
>><br>
>> ---<br>
>><br>
>> *** The DHCPd.conf file<br>
>> ---<br>
>> authoritative;<br>
>><br>
>> key "rndc-key" {<br>
>> algorithm hmac-md5;<br>
>> secret "SOMESECRET";<br>
>> };<br>
>><br>
>> ddns-update-style interim;<br>
>> ddns-domainname "somedom.local";<br>
>><br>
>> log-facility local7;<br>
>> log debug;<br>
>><br>
>> option time-offset -18000; # Pacific Standard Time<br>
>> one-lease-per-client off;<br>
>><br>
>> use-host-decl-names on;<br>
>> option ntp-servers time.somedom.local;<br>
>> option time-servers time.somedom.local;<br>
>> option domain-name-servers 10.1.0.5, 10.1.0.6;<br>
>> option domain-name "somedom.local";<br>
>> option netbios-name-servers 10.1.0.17;<br>
>> option routers 10.1.0.190;<br>
>><br>
>> #1h lease<br>
>> default-lease-time 3600;<br>
>> max-lease-time 3600;<br>
>> option ip-forwarding off;<br>
>><br>
>> zone somedom.local. {<br>
>> primary 10.1.0.5;<br>
>> key rndc-key;<br>
>> }<br>
>><br>
>> zone 0.1.10.in-addr.arpa. {<br>
>> primary 10.1.0.5;<br>
>> key rndc-key;<br>
>> }<br>
>><br>
>> zone 1.1.10.in-addr.arpa. {<br>
>> primary 10.1.0.5;<br>
>> key rndc-key;<br>
>> }<br>
>><br>
>> zone 2.1.10.in-addr.arpa. {<br>
>> primary 10.1.0.5;<br>
>> key rndc-key;<br>
>> }<br>
>><br>
>> # Subnet for internal hosts<br>
>> subnet 10.1.0.0 netmask 255.255.255.0 {<br>
>> option routers 10.1.0.190;<br>
>> option subnet-mask 255.255.255.0;<br>
>><br>
>> # block unknowns for .60 - .113<br>
>> pool {<br>
>> range 10.1.0.60 10.1.0.113;<br>
>> allow unknown-clients;<br>
>> }<br>
>> # block unknowns for 10.1.0.114 - .115<br>
>> pool {<br>
>> range 10.1.0.114 10.1.0.114;<br>
>> deny unknown-clients;<br>
>> }<br>
>> # allow unknowns for 10.1.0.115 - .153<br>
>> pool {<br>
>> range 10.1.0.115 10.1.0.153;<br>
>> allow unknown-clients;<br>
>> }<br>
>> # block unknowns for 10.1.0.154 - .194<br>
>> pool {<br>
>> range 10.1.0.154 10.1.0.194;<br>
>> deny unknown-clients;<br>
>> }<br>
>> # allow unknowns for 10.1.0.195 - .222<br>
>> pool {<br>
>> range 10.1.0.195 10.1.0.222;<br>
>> allow unknown-clients;<br>
>> }<br>
>> # block unknowns for 10.1.0.223 - .254<br>
>> pool {<br>
>> range 10.1.0.223 10.1.0.254;<br>
>> deny unknown-clients;<br>
>> }<br>
>> }<br>
>><br>
>> subnet 10.1.1.0 netmask 255.255.255.0 {<br>
>> option routers 10.1.1.1;<br>
>> option subnet-mask 255.255.255.0;<br>
>> pool {<br>
>> #failover peer "dhcp-failover";<br>
>> max-lease-time 14400;<br>
>> range 10.1.1.21 10.1.1.240;<br>
>> allow unknown-clients;<br>
>> }<br>
>> }<br>
>><br>
>> subnet 10.1.2.0 netmask 255.255.255.0 {<br>
>> option routers 10.1.2.1;<br>
>> option subnet-mask 255.255.255.0;<br>
>> pool {<br>
>> #failover peer "dhcp-failover";<br>
>> max-lease-time 14400;<br>
>> range 10.1.2.50 10.1.2.250;<br>
>> allow unknown-clients;<br>
>> }<br>
>> }<br>
>><br>
>><br>
>> ---<br>
>> named.conf<br>
>> ---<br>
>> include "/etc/bind/named.conf.options";<br>
>> include "/etc/bind/named.conf.local";<br>
>> include "/etc/bind/named.conf.default-zones";<br>
>><br>
>> #512 bit key<br>
>> key "rndc-key" {<br>
>> algorithm hmac-md5;<br>
>> secret "SOMESECRET";<br>
>> };<br>
>><br>
>> controls {<br>
>> inet 127.0.0.1 port 953<br>
>> allow { 127.0.0.1; } keys { "rndc-key"; };<br>
>><br>
>> inet 10.1.0.5 port 953<br>
>> allow { 127.0.0.1; } keys { "rndc-key"; };<br>
>> };<br>
>> ---<br>
>><br>
>> To keep the clutter down, I won't give any more config files:<br>
>> But syntax checks of both the BIND and DHCPd config files is clean, and<br>
>> both BIND and DHCPd appear to load and run fine.<br>
>> The only problem I have is the failed [timed out] problem for creating the<br>
>> PTR record for the reverse.<br>
>><br>
>> I've spent hours on this, looking the docs, examples, google-foo, and<br>
>> more.<br>
>> I'm quite sure it's something stupid, but as I said above, I can't find it<br>
>> and I'm desperate!<br>
>><br>
>> TIA<br>
>> -Greg<br>
>> _______________________________________________<br>
>> dhcp-users mailing list<br>
>> <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
>> <a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
<br>
<br>
GS> _______________________________________________<br>
GS> dhcp-users mailing list<br>
GS> <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
GS> <a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
<br>
<br>
_______________________________________________<br>
dhcp-users mailing list<br>
<a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
</blockquote></div><br></div>