Send dhcp-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. RE: help me explain (Cuttler, Brian R (HEALTH))
2. Re: help me explain (Simon Hobson)
3. RE: help me explain (Cuttler, Brian R (HEALTH))
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Oct 2016 15:32:06 +0000
From: "Cuttler, Brian R (HEALTH)" <[email protected]>
To: Users of ISC DHCP <[email protected]>
Subject: RE: help me explain
Message-ID:
<by1pr09mb0600b269bb3e2e58e942e068ba...@by1pr09mb0600.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Simon,
Perhaps a stupid follow up, but the "zone" declarations.
I just need one for the cms.wadsworth.org, nuke all of the
cms<vlannumber>.wadsworth.org ones.
What about the ones I'd created for the Reverse zones, are those needed at all?
Thank you,
Brian
> -----Original Message-----
> From: dhcp-users [mailto:[email protected]] On Behalf Of
> Simon Hobson
> Sent: Monday, October 17, 2016 4:14 PM
> To: Users of ISC DHCP <[email protected]>
> Subject: Re: help me explain
>
> ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.
>
>
> "Cuttler, Brian R (HEALTH)" <[email protected]> wrote:
>
> > So my DHCP config looks like this - with one such stanza per building
> floor.
> >
> > I am not certain how to implement this addressing structure with a
> > single domain name
>
> The domain name is irrelevant - it does NOT affect your addressing
> structure
>
> > Do we simply put the 6 subnet statements inside of a GROUP statement and
> move the ddns-domainname and ddns-rev-domainname statements into the outer
> structure?
>
> That's one way to do it, or you can just use the same domain name
> statement in each one. YOu can omit ddns-rev-domainname as it works out of
> the box with defaults - you only need to specify it if doing things like
> bodging around doing dynamic DNS on a reverse zone that's not on a /24
> boundary.
>
>
> subnet 10.57.46.0 netmask 255.255.255.0 {
> ddns-domainname = "dai.wadsworth.org"; ...
> }
>
> subnet 10.57.47.0 netmask 255.255.255.0 {
> ddns-domainname = "dai.wadsworth.org"; ...
> }
>
> subnet 10.57.48.0 netmask 255.255.255.0 {
> ddns-domainname = "dai.wadsworth.org"; ...
> }
>
> and so on
>
> it really is that simple !
>
>
> BTW - you have a few redundancies in your config :
>
> option domain-name-servers admin.wadsworth.org,
> bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
> pool {
> range 10.57.46.30 10.57.46.225;
> allow unknown-clients;
> allow known-clients;
> option domain-name-servers admin.wadsworth.org,
> bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
>
> You've duplicated domain-name-servers and your allow statements (unless
> you have something at a higher inheritance level to override) simply
> implement the defaults.
>
> _______________________________________________
> dhcp-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
Message: 2
Date: Fri, 21 Oct 2016 20:54:09 +0100
From: Simon Hobson <[email protected]>
To: Users of ISC DHCP <[email protected]>
Subject: Re: help me explain
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
"Cuttler, Brian R (HEALTH)" <[email protected]> wrote:
> I just need one for the cms.wadsworth.org, nuke all of the
> cms<vlannumber>.wadsworth.org ones.
Yes, but see below ...
> What about the ones I'd created for the Reverse zones, are those needed at
> all?
That depends on your setup.
If your internal DNS is setup with the correct SOA records, AND you aren't
using signed updates, then you don't need any zone declarations at all. By
default, the server will look at the SOA record for the zone (cms.wadsworth.org
or xx.57.10.in-addr.arpa in your case) and get the master DNS server from that
- then sends the (unsigned) update requests to it.
This does require that the DNS server be setup to accept unsigned updates,
which in the general case is "unsafe". You could lock it down and just accept
updates from certain IP addresses - eg if this is a dedicated system, with
restricted users (so you can trust anyone with access), then just accepting
updates from "localhost" may be OK.
But in the general case, you want to restrict the system to signed updates. To
do this, you need to define each zone in the DHCP server just so you can
specify the key to be used for each one.
------------------------------
Message: 3
Date: Fri, 21 Oct 2016 19:59:16 +0000
From: "Cuttler, Brian R (HEALTH)" <[email protected]>
To: Users of ISC DHCP <[email protected]>
Subject: RE: help me explain
Message-ID:
<by1pr09mb06004d05e303668c2794746bba...@by1pr09mb0600.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Thank you Simon.
In this case it looks like I can remove all zone entries then.
The DHCP server and the dynamic dns master live on the same box and I've
established nsupdate keys, and the dns master talks to the slave servers for
zone transfers, but I specified masters and allow-transfers, so things are
reasonably secure.
If I was on the other side of the FW or in the DMZ it would need to be tighter
but I think we are ok this way.
I'll looke to remove the "zone" commands for the dhcpd.conf file, the simpler
the better, at least until security issues begin to loom.
Thanks and have a great weekend,
Brian
> -----Original Message-----
> From: dhcp-users [mailto:[email protected]] On Behalf Of
> Simon Hobson
> Sent: Friday, October 21, 2016 3:54 PM
> To: Users of ISC DHCP <[email protected]>
> Subject: Re: help me explain
>
> ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.
>
>
> "Cuttler, Brian R (HEALTH)" <[email protected]> wrote:
>
> > I just need one for the cms.wadsworth.org, nuke all of the
> cms<vlannumber>.wadsworth.org ones.
>
> Yes, but see below ...
>
> > What about the ones I'd created for the Reverse zones, are those needed
> at all?
>
> That depends on your setup.
>
> If your internal DNS is setup with the correct SOA records, AND you aren't
> using signed updates, then you don't need any zone declarations at all. By
> default, the server will look at the SOA record for the zone
> (cms.wadsworth.org or xx.57.10.in-addr.arpa in your case) and get the
> master DNS server from that - then sends the (unsigned) update requests to
> it.
> This does require that the DNS server be setup to accept unsigned updates,
> which in the general case is "unsafe". You could lock it down and just
> accept updates from certain IP addresses - eg if this is a dedicated
> system, with restricted users (so you can trust anyone with access), then
> just accepting updates from "localhost" may be OK.
>
> But in the general case, you want to restrict the system to signed
> updates. To do this, you need to define each zone in the DHCP server just
> so you can specify the key to be used for each one.
>
>
> _______________________________________________
> dhcp-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
Subject: Digest Footer
_______________________________________________
dhcp-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 96, Issue 22
******************************************
