[Kea-users] kea not updating bind9

Doug Freed dwfreed at isc.org
Tue Sep 23 07:05:40 UTC 2025 

On 9/22/25 17:49, Charles Curley wrote:
> I have a new installation of Debian 13 (trixie), and I am bringing up
> kea (2.6.3-1) and bind9 (1:9.20.11-4). These are the versions packaged
> with Debian 13.
> 
> I believe kea is handing out IPv4 addresses successfully. They show up
> in the two leases files at /var/lib/kea/kea-leases4.csv*.
> 
> I have bind9 working. What I don't have working is kea updating
> bind9. I get stanzas like the following:
> 
> --------------------------------------------------
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN  DHCP_DDNS_NO_MATCH No DNS servers match FQDN perigrine.localdomain.
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR Request ID 000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the configured list of forward DDNS domains does not contain a match for: Type: 1 (CHG_REMOVE)
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID: [000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode: check-with-dhcid
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]:   The request has been discarded.
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN  DHCP_DDNS_NO_MATCH No DNS servers match FQDN perigrine.localdomain.
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR Request ID 000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the configured list of forward DDNS domains does not contain a match for: Type: 1 (CHG_REMOVE)
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID: [000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode: check-with-dhcid
> Sep 22 13:15:21 issola kea-dhcp-ddns[38297]:   The request has been discarded.
> --------------------------------------------------
> 
> Meanwhile bind9 is silent.
> 
> 
> Partial bind9:
> --------------------------------------------------
> controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
> };
> 
> key "rndc_key" {
>      algorithm hmac-md5;
> 	secret "<redacted>";
> };
> 
> key "tsig-key" {
>          algorithm hmac-sha256;
>          secret "<redacted>";
> };
> 
>> 
> zone "localdomain" IN {
> 	type master;
> 	file "/var/cache/bind/sites/localdomain/forward.zone";
> 	allow-transfer { 127.0.0.1; 192.168.100.6; 192.168.100.16;};
>     	# allow-update { key "rndc_key"; };
>          allow-update { key "tsig-key"; };
>          zone-statistics yes;
> 	notify no;
> 	# also-notify { };
> };
> --------------------------------------------------
> 
> Partial kea-dhcp-ddns.conf
> --------------------------------------------------
> "DhcpDdns":
> {
>    "ip-address": "127.0.0.1",
>    "port": 53001,
>    "control-socket": {
>        "socket-type": "unix",
>        "socket-name": "kea-ddns-ctrl-socket"
>    },
>    "tsig-keys": [
>      {   "name": "tsig-key",
> 	"algorithm": "hmac-sha256",
> 	"secret": "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=" }
>          ],
>    "forward-ddns" : {
>        "ddns-domains" : [
>            {
>                 "name": "localdomain",
>                 "key-name": "tsig-key",
>                 "dns-servers": [
>                     { "ip-address": "192.168.100.12" }
>                 ]
>            }
>        ]
>    },
>    "reverse-ddns" : {
>        "ddns-domains" : [
>            {
>                 "name": "100.168.192.in-addr.arpa.",
>                 "key-name": "tsig-key",
>                 "dns-servers": [
>                     { "ip-address": "192.168.100.12" }
>                 ]
>            }
>        ]
>    },
> --------------------------------------------------
> 
> 

Kea does not use DNS-aware name comparisons, but simple case-insensitive 
string comparisons, when attempting to locate a matching domain in your 
configuration for a DDNS update request.  FQDNs in update requests will 
always end with a trailing period, but your domain name in your DDNS 
config does not, which is what's causing the error.

Note that while you redacted your TSIG key from your BIND config before 
posting, you did not do the same for your DDNS config.  Since you're 
using RFC 1918 IP addresses, this may not be a real concern, but I 
thought I'd point it out just in case.

-Doug

More information about the Kea-users mailing list