Re: DHCP isn't updating DNS
> You should consider moving towards "standard", but "interim"'s not a
> problem for now.
> https://deepthought.isc.org/article/AA-01091/0/ISC-DHCP-support-for-Standard-DDNS.html
I've actually made a few changes since I've posted this in trying to figure
this out and I did change to standard. This appears to have not made any
difference. DNS is still not getting updated, but I will definitely keep the
setting at standard.
>
>> allowclient-updates;
>
> I would recommend denying client-updates. This tells clients that they
> can do the DNS update themselves. Given that you're trying TSIGs below,
> that would mean deploying keys to all the clients etc etc. Better to
> "deny client-updates" and centralise the work through the DHCP server.
This was also a change I made. I definitely do not want (and do not allow)
clients to update DNS, so I changed this to deny.
>
>
> Some other options I have are "update-static-leases on" (Make sure DNS
> is updated even for hosts with a static address) "update-optimization
> on" (Actually, for debugging purposes, I had that off for a while. If
> it's off the DNS will be updated every time. If it's on, then the DNS
> won't be updated if the lease hasn't changed. If you're changing from
> 'interim' to 'standard' you definitely want this off to ensure the
> records get changed).
I saw these as well when I reread through the dhcpd.conf man page, but haven't
tried them yet. I'll give that a go.
>
> I'm assuming you've cut something out of your config here, but given the
> config above, there's nothing that applies the DDNS settings to hosts.
> The ddns-* settings should apply to everything in their current scope
> and below (so, if you've put them in your subnet6 block, for example,
> that should be fine).
Yes I didn't include my entire conf file as it is a little long. Here is my
subnet6 declaration that I've been focusing on:
subnet6 2620:5:e000:201e::/64 {
default-lease-time2419200;
max-lease-time2419200;
# LDAP Servers.
pool6 {
allow members of "ldap_servers";
range6 2620:5:e000:201e:0:1::/96;
}
# Kerberos Servers.
pool6 {
allow members of "krb5_servers";
range6 2620:5:e000:201e:0:2::/96;
}
# DHCP Servers.
pool6 {
allow members of "dhcp_servers";
range6 2620:5:e000:201e:0:3::/96;
}
# Puppet Servers.
pool6 {
allow members of "puppet_servers";
range6 2620:5:e000:201e:0:4::/96;
}
# DNS Servers.
pool6 {
allow members of "dns_servers";
range6 2620:5:e000:201e:0:5::/96;
}
# Catch-all DHCP group.
pool6 {
range6 2620:5:e000:201e:0:d::/96;
}
}
In particular I've been testing with a client that gets added to the
"dhcp_servers" class. I know the classification works as the client actually
gets an IP address in the the range specified, I just can't get DHCP to update
the DNS servers with the and PTR records. Since all my subnet's use the
same ddns-* settings I don't specify this at the subnet or pool level, I just
leave it in the top scope.
Thanks for your response,
Joshua Schaeffer
Re: DHCP isn't updating DNS
On Tue, Jul 25, 2017 at 10:43:45AM -0600, Joshua Schaeffer wrote:
I'm having trouble getting my DHCPv6 server to update DNS and I'm not
sure what I'm missing. From what I can tell I have everything setup
and have tried numerous changes to the config file without success.
Here is my named.conf.local file. I've tried allowing updates with
both the update-policy and allow-update commands as well as through a
key and just by IP address, but as far as I can tell the DHCP server
isn't even attempting to communicate with the DNS server:
root@blldns01:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in
your
// organization
include "/etc/bind/zones.rfc1918";
include "/etc/bind/Kddns--rrs.+157+1.private";
include "/etc/bind/Kddns-ptr-rrs.+157+1.private";
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "==";
};
zone "appendata.net" in {
type master;
notify yes;
file "/var/lib/bind/db.appendata.net";
allow-update { 2620:5:e000:201e::4:1; };
# allow-update { key DHCP_UPDATER; };
# update-policy {
# grant "ddns--rrs" self * TXT DHCID;
# };
};
zone "0.0.0.e.5.0.0.0.0.2.6.2.IP6.ARPA" in {
type master;
notify yes;
file "/var/lib/bind/db.2620.5.e000";
allow-update { 2620:5:e000:201e::4:1; };
# allow-update { key DHCP_UPDATER; };
# update-policy {
# grant "ddns-ptr-rrs" self * PTR TXT DHCID;
# };
};
In my dhcpd6.conf file I have my zones specified and have tried
including the key file, declaring the key directly in the file, and
simply not using the keys and just using IP based authentication.
None of it has worked so far. I've also tried using primary and
primary6 with the actual IP address in my zone declarations, but this
hasn't made any difference:
#
# DDNS SETTINGS #
#
# The ddns-updates-style parameter controls whether or not the
server will
# attempt to do a DNS update when a lease is confirmed. We
default to the
# behavior of the version 2 packages ('none', since DHCP v2
didn't
# have support for DDNS.)
ddns-updates on;
ddns-update-style interim;
You should consider moving towards "standard", but "interim"'s not a
problem for now.
https://deepthought.isc.org/article/AA-01091/0/ISC-DHCP-support-for-Standard-DDNS.html
allow client-updates;
I would recommend denying client-updates. This tells clients that they
can do the DNS update themselves. Given that you're trying TSIGs below,
that would mean deploying keys to all the clients etc etc. Better to
"deny client-updates" and centralise the work through the DHCP server.
ddns-domainname "appendata.net.";
ddns-rev-domainname "ip6.arpa.";
do-forward-updates on;
Some other options I have are "update-static-leases on" (Make sure DNS
is updated even for hosts with a static address) "update-optimization
on" (Actually, for debugging purposes, I had that off for a while. If
it's off the DNS will be updated every time. If it's on, then the DNS
won't be updated if the lease hasn't changed. If you're changing from
'interim' to 'standard' you definitely want this off to ensure the
records get changed).
# Include keys used to securely communicate with the DNS server.
include "/etc/keys/Kddns--rrs.+157+1.private";
include "/etc/keys/Kddns-ptr-rrs.+157+1.private";
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "XXX==";
};
# Configuring zones for ddns-updates.
zone appendata.net. {
primary ns1-int.appendata.net;
# primary6 2620:5:e000::a1;
# key DHCP_UPDATER; # DNS key for RR's.
}
zone 0.0.0.e.5.0.0.0.0.2.6.2.ip6.arpa. {
primary ns1-int.appendata.net;
# primary6 2620:5:e000::a1;
# key DHCP_UPDATER; # PTR DNS key for RR's.
}
I'm assuming you've cut something out of your config here, but given the
config above, there's nothing that applies the DDNS settings to hosts.
The ddns-* settings should apply to everything in their current scope
and below (so, if you've put them in your subnet6 block, for example,
that should be fine).
I've tried putting various options and declarations in different
scopes, but none of it has worked. The DHCP server gives out an IP
address just fine, but it doesn't look like it is even trying to
update the and PTR records.
Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Solicit message from
DHCP isn't updating DNS
I'm having trouble getting my DHCPv6 server to update DNS and I'm not sure what
I'm missing. From what I can tell I have everything setup and have tried
numerous changes to the config file without success. Here is my
named.conf.local file. I've tried allowing updates with both the update-policy
and allow-update commands as well as through a key and just by IP address, but
as far as I can tell the DHCP server isn't even attempting to communicate with
the DNS server:
root@blldns01:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
include "/etc/bind/Kddns--rrs.+157+1.private";
include "/etc/bind/Kddns-ptr-rrs.+157+1.private";
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "==";
};
zone "appendata.net" in {
type master;
notify yes;
file "/var/lib/bind/db.appendata.net";
allow-update { 2620:5:e000:201e::4:1; };
#allow-update { key DHCP_UPDATER; };
#update-policy {
#grant "ddns--rrs" self * TXT DHCID;
#};
};
zone "0.0.0.e.5.0.0.0.0.2.6.2.IP6.ARPA" in {
type master;
notify yes;
file "/var/lib/bind/db.2620.5.e000";
allow-update { 2620:5:e000:201e::4:1; };
#allow-update { key DHCP_UPDATER; };
#update-policy {
#grant "ddns-ptr-rrs" self * PTR TXT DHCID;
#};
};
In my dhcpd6.conf file I have my zones specified and have tried including the
key file, declaring the key directly in the file, and simply not using the keys
and just using IP based authentication. None of it has worked so far. I've also
tried using primary and primary6 with the actual IP address in my zone
declarations, but this hasn't made any difference:
#
# DDNS SETTINGS #
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-updateson;
ddns-update-styleinterim;
allowclient-updates;
ddns-domainname"appendata.net.";
ddns-rev-domainname"ip6.arpa.";
do-forward-updateson;
# Include keys used to securely communicate with the DNS server.
include"/etc/keys/Kddns--rrs.+157+1.private";
include"/etc/keys/Kddns-ptr-rrs.+157+1.private";
key DHCP_UPDATER {
algorithmHMAC-MD5.SIG-ALG.REG.INT;
secret"XXX==";
};
# Configuring zones for ddns-updates.
zone appendata.net. {
primaryns1-int.appendata.net;
#primary62620:5:e000::a1;
#keyDHCP_UPDATER;# DNS key for RR's.
}
zone 0.0.0.e.5.0.0.0.0.2.6.2.ip6.arpa. {
primaryns1-int.appendata.net;
#primary62620:5:e000::a1;
#keyDHCP_UPDATER;# PTR DNS key for RR's.
}
I've tried putting various options and declarations in different scopes, but
none of it has worked. The DHCP server gives out an IP address just fine, but
it doesn't look like it is even trying to update the and PTR records.
Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Solicit message from
fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x9D08B00
Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Picking pool address
2620:5:e000:201e:0:1:b41e:f2fe
Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Advertise NA: address
2620:5:e000:201e:0:1:b41e:f2fe to client with duid
00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200
seconds
Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Sending Advertise to
fe80::216:3eff:fe32:2d49 port 546
Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Request message from
fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x6C757900
Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Reply NA: address
2620:5:e000:201e:0:1:b41e:f2fe to client with duid
00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200
seconds
Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Sending Reply to
fe80::216:3eff:fe32:2d49 port 546
And there is nothing in DNS's logs, even when set to DEBUG. Can anybody see
what I'm missing. If I sniff the wire I can see that there isn't any
communication between my DHCP and DNS servers, so I don't think its a firewall
setting as its not even getting that far.
Thanks,
Joshua Schaeffer
