Re: DHCP isn't updating DNS
> You should consider moving towards "standard", but "interim"'s not a > problem for now. > https://deepthought.isc.org/article/AA-01091/0/ISC-DHCP-support-for-Standard-DDNS.html I've actually made a few changes since I've posted this in trying to figure this out and I did change to standard. This appears to have not made any difference. DNS is still not getting updated, but I will definitely keep the setting at standard. > >> allowclient-updates; > > I would recommend denying client-updates. This tells clients that they > can do the DNS update themselves. Given that you're trying TSIGs below, > that would mean deploying keys to all the clients etc etc. Better to > "deny client-updates" and centralise the work through the DHCP server. This was also a change I made. I definitely do not want (and do not allow) clients to update DNS, so I changed this to deny. > > > Some other options I have are "update-static-leases on" (Make sure DNS > is updated even for hosts with a static address) "update-optimization > on" (Actually, for debugging purposes, I had that off for a while. If > it's off the DNS will be updated every time. If it's on, then the DNS > won't be updated if the lease hasn't changed. If you're changing from > 'interim' to 'standard' you definitely want this off to ensure the > records get changed). I saw these as well when I reread through the dhcpd.conf man page, but haven't tried them yet. I'll give that a go. > > I'm assuming you've cut something out of your config here, but given the > config above, there's nothing that applies the DDNS settings to hosts. > The ddns-* settings should apply to everything in their current scope > and below (so, if you've put them in your subnet6 block, for example, > that should be fine). Yes I didn't include my entire conf file as it is a little long. Here is my subnet6 declaration that I've been focusing on: subnet6 2620:5:e000:201e::/64 { default-lease-time2419200; max-lease-time2419200; # LDAP Servers. pool6 { allow members of "ldap_servers"; range6 2620:5:e000:201e:0:1::/96; } # Kerberos Servers. pool6 { allow members of "krb5_servers"; range6 2620:5:e000:201e:0:2::/96; } # DHCP Servers. pool6 { allow members of "dhcp_servers"; range6 2620:5:e000:201e:0:3::/96; } # Puppet Servers. pool6 { allow members of "puppet_servers"; range6 2620:5:e000:201e:0:4::/96; } # DNS Servers. pool6 { allow members of "dns_servers"; range6 2620:5:e000:201e:0:5::/96; } # Catch-all DHCP group. pool6 { range6 2620:5:e000:201e:0:d::/96; } } In particular I've been testing with a client that gets added to the "dhcp_servers" class. I know the classification works as the client actually gets an IP address in the the range specified, I just can't get DHCP to update the DNS servers with the and PTR records. Since all my subnet's use the same ddns-* settings I don't specify this at the subnet or pool level, I just leave it in the top scope. Thanks for your response, Joshua Schaeffer
Re: DHCP isn't updating DNS
On Tue, Jul 25, 2017 at 10:43:45AM -0600, Joshua Schaeffer wrote: I'm having trouble getting my DHCPv6 server to update DNS and I'm not sure what I'm missing. From what I can tell I have everything setup and have tried numerous changes to the config file without success. Here is my named.conf.local file. I've tried allowing updates with both the update-policy and allow-update commands as well as through a key and just by IP address, but as far as I can tell the DHCP server isn't even attempting to communicate with the DNS server: root@blldns01:~# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; include "/etc/bind/Kddns--rrs.+157+1.private"; include "/etc/bind/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "=="; }; zone "appendata.net" in { type master; notify yes; file "/var/lib/bind/db.appendata.net"; allow-update { 2620:5:e000:201e::4:1; }; # allow-update { key DHCP_UPDATER; }; # update-policy { # grant "ddns--rrs" self * TXT DHCID; # }; }; zone "0.0.0.e.5.0.0.0.0.2.6.2.IP6.ARPA" in { type master; notify yes; file "/var/lib/bind/db.2620.5.e000"; allow-update { 2620:5:e000:201e::4:1; }; # allow-update { key DHCP_UPDATER; }; # update-policy { # grant "ddns-ptr-rrs" self * PTR TXT DHCID; # }; }; In my dhcpd6.conf file I have my zones specified and have tried including the key file, declaring the key directly in the file, and simply not using the keys and just using IP based authentication. None of it has worked so far. I've also tried using primary and primary6 with the actual IP address in my zone declarations, but this hasn't made any difference: # # DDNS SETTINGS # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-updates on; ddns-update-style interim; You should consider moving towards "standard", but "interim"'s not a problem for now. https://deepthought.isc.org/article/AA-01091/0/ISC-DHCP-support-for-Standard-DDNS.html allow client-updates; I would recommend denying client-updates. This tells clients that they can do the DNS update themselves. Given that you're trying TSIGs below, that would mean deploying keys to all the clients etc etc. Better to "deny client-updates" and centralise the work through the DHCP server. ddns-domainname "appendata.net."; ddns-rev-domainname "ip6.arpa."; do-forward-updates on; Some other options I have are "update-static-leases on" (Make sure DNS is updated even for hosts with a static address) "update-optimization on" (Actually, for debugging purposes, I had that off for a while. If it's off the DNS will be updated every time. If it's on, then the DNS won't be updated if the lease hasn't changed. If you're changing from 'interim' to 'standard' you definitely want this off to ensure the records get changed). # Include keys used to securely communicate with the DNS server. include "/etc/keys/Kddns--rrs.+157+1.private"; include "/etc/keys/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "XXX=="; }; # Configuring zones for ddns-updates. zone appendata.net. { primary ns1-int.appendata.net; # primary6 2620:5:e000::a1; # key DHCP_UPDATER; # DNS key for RR's. } zone 0.0.0.e.5.0.0.0.0.2.6.2.ip6.arpa. { primary ns1-int.appendata.net; # primary6 2620:5:e000::a1; # key DHCP_UPDATER; # PTR DNS key for RR's. } I'm assuming you've cut something out of your config here, but given the config above, there's nothing that applies the DDNS settings to hosts. The ddns-* settings should apply to everything in their current scope and below (so, if you've put them in your subnet6 block, for example, that should be fine). I've tried putting various options and declarations in different scopes, but none of it has worked. The DHCP server gives out an IP address just fine, but it doesn't look like it is even trying to update the and PTR records. Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Solicit message from
DHCP isn't updating DNS
I'm having trouble getting my DHCPv6 server to update DNS and I'm not sure what I'm missing. From what I can tell I have everything setup and have tried numerous changes to the config file without success. Here is my named.conf.local file. I've tried allowing updates with both the update-policy and allow-update commands as well as through a key and just by IP address, but as far as I can tell the DHCP server isn't even attempting to communicate with the DNS server: root@blldns01:~# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; include "/etc/bind/Kddns--rrs.+157+1.private"; include "/etc/bind/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "=="; }; zone "appendata.net" in { type master; notify yes; file "/var/lib/bind/db.appendata.net"; allow-update { 2620:5:e000:201e::4:1; }; #allow-update { key DHCP_UPDATER; }; #update-policy { #grant "ddns--rrs" self * TXT DHCID; #}; }; zone "0.0.0.e.5.0.0.0.0.2.6.2.IP6.ARPA" in { type master; notify yes; file "/var/lib/bind/db.2620.5.e000"; allow-update { 2620:5:e000:201e::4:1; }; #allow-update { key DHCP_UPDATER; }; #update-policy { #grant "ddns-ptr-rrs" self * PTR TXT DHCID; #}; }; In my dhcpd6.conf file I have my zones specified and have tried including the key file, declaring the key directly in the file, and simply not using the keys and just using IP based authentication. None of it has worked so far. I've also tried using primary and primary6 with the actual IP address in my zone declarations, but this hasn't made any difference: # # DDNS SETTINGS # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-updateson; ddns-update-styleinterim; allowclient-updates; ddns-domainname"appendata.net."; ddns-rev-domainname"ip6.arpa."; do-forward-updateson; # Include keys used to securely communicate with the DNS server. include"/etc/keys/Kddns--rrs.+157+1.private"; include"/etc/keys/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithmHMAC-MD5.SIG-ALG.REG.INT; secret"XXX=="; }; # Configuring zones for ddns-updates. zone appendata.net. { primaryns1-int.appendata.net; #primary62620:5:e000::a1; #keyDHCP_UPDATER;# DNS key for RR's. } zone 0.0.0.e.5.0.0.0.0.2.6.2.ip6.arpa. { primaryns1-int.appendata.net; #primary62620:5:e000::a1; #keyDHCP_UPDATER;# PTR DNS key for RR's. } I've tried putting various options and declarations in different scopes, but none of it has worked. The DHCP server gives out an IP address just fine, but it doesn't look like it is even trying to update the and PTR records. Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Solicit message from fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x9D08B00 Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Picking pool address 2620:5:e000:201e:0:1:b41e:f2fe Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Advertise NA: address 2620:5:e000:201e:0:1:b41e:f2fe to client with duid 00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200 seconds Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Sending Advertise to fe80::216:3eff:fe32:2d49 port 546 Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Request message from fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x6C757900 Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Reply NA: address 2620:5:e000:201e:0:1:b41e:f2fe to client with duid 00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200 seconds Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Sending Reply to fe80::216:3eff:fe32:2d49 port 546 And there is nothing in DNS's logs, even when set to DEBUG. Can anybody see what I'm missing. If I sniff the wire I can see that there isn't any communication between my DHCP and DNS servers, so I don't think its a firewall setting as its not even getting that far. Thanks, Joshua Schaeffer