Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. Re: DHCPd only updating the forward zone (Dan Egli)
2. Re: DHCPd only updating the forward zone (Simon Hobson)
3. Re: [*SP4M*] Re: DHCPd only updating the forward zone (Dan Egli)
4. Re: [*SP4M*] DHCPd only updating the forward zone (Simon Hobson)
----------------------------------------------------------------------
Message: 1
Date: Sun, 20 Dec 2020 05:22:47 -0700
From: Dan Egli <d...@newideatest.site>
To: dhcp-users@lists.isc.org
Subject: Re: DHCPd only updating the forward zone
Message-ID: <e71fbfc7-f3af-47de-d936-3ef55fbe3...@newideatest.site>
Content-Type: text/plain; charset=utf-8; format=flowed
Here is the zone files. Note that the zone doesn't exist on the public
internet.
10.168.192.arpa.zone:
$TTL 10m
@?????? IN SOA? pluto.eglifamily.name. dan.eglifamily.name. (
??????????????????????????????? 2????????? ; serial
??????????????????????????????? 30m??????? ; refresh
??????????????????????????????? 5m???????? ; retry
??????????????????????????????? 1d???????? ; expire
??????????????????????????????? 1m???????? ; negative response cache
??????????????????????????????? )
??????????????????????? NS????? pluto.eglifamily.name.
1?????????????????????? PTR???? charon.eglifamily.name.
2?????????????????????? PTR???? pluto.eglifamily.name.
3?????????????????????? PTR???? jupiter.eglifamily.name.
eglifamily.zone:
$TTL 6h
@?????? IN SOA? pluto.eglifamily.name. dan.eglifamily.name. (
??????????????????????????????? 2????????? ; serial
??????????????????????????????? 30m??????? ; refresh
??????????????????????????????? 5m???????? ; retry
??????????????????????????????? 1d???????? ; expire
??????????????????????????????? 1m???????? ; negative response cache
??????????????????????????????? )
??????????????? NS????????????? pluto.eglifamily.name.
??????????????? MX????? 1?????? jupiter
charon????????? IN????? A?????? 192.158.10.1
pluto?????????? IN????? A?????? 192.168.10.2
jupiter???????? IN????? A?????? 192.168.10.3
After a machine called Venus boots, there's also a .jnl file for
eglifamily.zone, but NOT for 10.168.192.arpa.zone
Here's named.conf:
acl "xfer" {
??????? none;
};
acl "trusted" {
??????? 10.0.2.15/32;
??????? 192.168.10.0/24;
??????? 127.0.0.0/8;
??????? ::1/128;
??????? # eventualy add valid IPv6 addresses here.
};
acl "myself" {
??????? 127.0.0.0/24;
??????? ::1/128;
??????? 192.168.10.2/32;
??????? 10.0.2.15/32;
};
options {
??????? directory "/var/bind";
??????? pid-file "/run/named/named.pid";
??????? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
??????? minimal-responses yes;
??????? listen-on-v6 { none; };? // for now
??????? listen-on { 192.168.10.2; 127.0.0.1; };
??????? allow-query {
??????????????? trusted;
??????? };
??????? allow-query-cache {
??????????????? trusted;
??????? };
??????? allow-recursion {
??????????????? trusted;
??????? };
??????? allow-transfer {
??????????????? none;
??????? };
??????? allow-update {
??????????????? myself;
??????? };
??????? dnssec-validation auto;
};
logging {
??????? channel default_log {
??????????????? file "/var/log/named/named.log" versions 5 size 50M;
??????????????? print-time yes;
??????????????? print-severity yes;
??????????????? print-category yes;
??????? };
??????? category default { default_log; };
??????? category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
??????? inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
"rndc-key"; };
};
zone "localhost" IN {
??????? type master;
??????? file "pri/localhost.zone";
??????? notify no;
};
zone "eglifamily.name" {
??????? type master;
??????? file "pri/eglifamily.zone";
??????? notify yes;
};
zone "10.168.192.in-addr.arpa" {
??????? type master;
??????? file "pri/10.168.192.arpa.zone";
??????? notify yes;
};
include "/var/lib/samba/bind-dns/named.conf";
Note that the samba file only contains directives to load the BIND9_DLZ
module.
Here's dhcpd.conf:
default-lease-time 3600;
max-lease-time 43200;
ddns-update-style interim;
authoritative;
log-facility local1;
allow booting;
subnet 10.0.0.0 netmask 255.0.0.0 {
# no services at all! That's the llnk from the ISP. Don't touch it!
}
subnet 192.168.10.0 netmask 255.255.255.0 {
??????? interface enp0s8;
??????? range 192.168.10.128 192.168.10.254;
??????? if exists user-class and option user-class = "iPXE" {
??????? filename "pxelinux.efi";
??????? } else {
??????? filename "pxelinux.0";
??????? }
??????? next-server 192.168.10.3;
??????? option domain-name-servers 192.168.10.2, 8.8.8.8;
??????? option domain-name "eglifamily.name";
??????? option routers 192.168.10.1;
}
host fixed-1 {
??????? hardware ethernet 08:00:27:D5:AA:3C;
??????? fixed-address 192.168.10.64;
??????? option host-name "fixed-1";
??????? ddns-hostname "fixed-1.eglifamily.name";
}
--
Dan Egli
From my Test Server
------------------------------
Message: 2
Date: Sun, 20 Dec 2020 16:46:32 +0000
From: Simon Hobson <si...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: DHCPd only updating the forward zone
Message-ID: <dacd2951-4211-4e1c-b15d-b43bf0303...@thehobsons.co.uk>
Content-Type: text/plain; charset=us-ascii
Dan Egli <d...@newideatest.site> wrote:
> Here is the zone files. Note that the zone doesn't exist on the public
> internet.
...
Apart from ridiculously short timeout values, that looks mostly OK.
> After a machine called Venus boots, there's also a .jnl file for
> eglifamily.zone, but NOT for 10.168.192.arpa.zone
What do the logs for both DNS and DHCP show when this happens ?
> Here's dhcpd.conf:
> default-lease-time 3600;
> max-lease-time 43200;
>
> ddns-update-style interim;
>
> authoritative;
> log-facility local1;
>
>
> allow booting;
>
> subnet 10.0.0.0 netmask 255.0.0.0 {
> # no services at all! That's the llnk from the ISP. Don't touch it!
> }
>
>
> subnet 192.168.10.0 netmask 255.255.255.0 {
> interface enp0s8;
> range 192.168.10.128 192.168.10.254;
> if exists user-class and option user-class = "iPXE" {
> filename "pxelinux.efi";
> } else {
> filename "pxelinux.0";
> }
> next-server 192.168.10.3;
> option domain-name-servers 192.168.10.2, 8.8.8.8;
> option domain-name "eglifamily.name";
> option routers 192.168.10.1;
>
> }
>
> host fixed-1 {
> hardware ethernet 08:00:27:D5:AA:3C;
> fixed-address 192.168.10.64;
> option host-name "fixed-1";
> ddns-hostname "fixed-1.eglifamily.name";
> }
Listing both your internal and an external DNS server is a bad idea - you'll
have (seemingly) random DNS failures for your internal zones, and they may not
start happening for some time after you've forgotten how you set things up.
Many people setup this sort of thing thinking that clients will check with one,
then the next. But some clients (at least some have in the past), if they
experience a failure with the first server, will put it to the end of the list
where it will stay until there's a failure with another server - and this will
persist across reboots. The effect is that suddenly, for no apparent reason,
all internal lookups fail. With a previous work hat on I've had colleagues
bitten by this one.
You forgot to provide the output of :
dig eglifamily.name ns
dig 10.168.192.in-addr.arpa ns
but from the configs, I would expect both to show jupiter.eglifamily.name to be
the name server for both.
BTW - you should not need "subnet 10.0.0.0 ..." or "interface enp0s8". That
fact that they are there, presumably to get around your other problem,
indicated that you are starting dhcpd with the wrong options. Normally you
would simply list the interfaces you want the server to listen on on the
command line - though it's usually abstracted into a config file to make life
simple.
Simon
------------------------------
Message: 3
Date: Sun, 20 Dec 2020 14:11:16 -0700
From: Dan Egli <d...@newideatest.site>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: [*SP4M*] Re: DHCPd only updating the forward zone
Message-ID: <49af737b-3b2b-1ef4-26e7-a10d0926b...@newideatest.site>
Content-Type: text/plain; charset=utf-8; format=flowed
On 12/20/2020 9:46 AM, Simon Hobson wrote:
> Dan Egli <d...@newideatest.site> wrote:
>
>> Here is the zone files. Note that the zone doesn't exist on the public
>> internet.
> ...
> Apart from ridiculously short timeout values, that looks mostly OK.
Mostly OK? Besides the short timeouts, which are for testing and will be
increased to reasonable values once the whole system functions
correctly, and the combined internal/external name servers (which I
fixed)? what's wrong?
>> After a machine called Venus boots, there's also a .jnl file for
>> eglifamily.zone, but NOT for 10.168.192.arpa.zone
> What do the logs for both DNS and DHCP show when this happens ?
>
>
dhcpd.log:
Dec 20 20:55:57 pluto dhcpd[1129]: DHCPDISCOVER from 08:00:27:03:d3:23
via enp0s8
Dec 20 20:55:58 pluto dhcpd[1129]: DHCPOFFER on 192.168.10.128 to
08:00:27:03:d3:23 (venus) via enp0s8
Dec 20 20:55:58 pluto dhcpd[1129]: DHCPREQUEST for 192.168.10.128
(192.168.10.1) from 08:00:27:03:d3:23 (venus) via enp0s8
Dec 20 20:55:58 pluto dhcpd[1129]: DHCPACK on 192.168.10.128 to
08:00:27:03:d3:23 (venus) via enp0s8
No entries at all in named.log now that it's started not making dynamic
updates at all. The named.log shows startup messages, and nothing else.
As to the name server, it would be pluto actually, not jupiter. Here's
the digs:Here's your lookups:
?# dig ns eglifamily.name
; <<>> DiG 9.16.6 <<>> ns eglifamily.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8ca383bc4b0726c1010000005fdfbba45cf747295c09d705 (good)
;; QUESTION SECTION:
;eglifamily.name.?????????????? IN????? NS
;; ANSWER SECTION:
eglifamily.name.??????? 21600?? IN????? NS pluto.eglifamily.name.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 20 14:01:24 MST 2020
;; MSG SIZE? rcvd: 92
?# dig ns 10.168.192.in-addr.arpa
; <<>> DiG 9.16.6 <<>> ns 10.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64233
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 76d73c0142ca1363010000005fdfbbd64072f5769946d53c (good)
;; QUESTION SECTION:
;10.168.192.in-addr.arpa.?????? IN????? NS
;; ANSWER SECTION:
10.168.192.in-addr.arpa. 600??? IN????? NS pluto.eglifamily.name.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 20 14:02:14 MST 2020
;; MSG SIZE? rcvd: 115
I don't know what's up, but there's no update of DNS at all right now.
I'm stumped. As far as I can tell, all is fine in the config. Maybe
someone can see something I missed. I hope so.
--
Dan Egli
From my Test Server
------------------------------
Message: 4
Date: Mon, 21 Dec 2020 11:27:54 +0000
From: Simon Hobson <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: [*SP4M*] DHCPd only updating the forward zone
Message-ID: <87922356-f1e0-4a73-897c-87011a5bd...@thehobsons.co.uk>
Content-Type: text/plain; charset=us-ascii
Dan Egli <d...@newideatest.site> wrote:
>> What do the logs for both DNS and DHCP show when this happens ?
>>
>>
> dhcpd.log:
> Dec 20 20:55:57 pluto dhcpd[1129]: DHCPDISCOVER from 08:00:27:03:d3:23 via
> enp0s8
> Dec 20 20:55:58 pluto dhcpd[1129]: DHCPOFFER on 192.168.10.128 to
> 08:00:27:03:d3:23 (venus) via enp0s8
> Dec 20 20:55:58 pluto dhcpd[1129]: DHCPREQUEST for 192.168.10.128
> (192.168.10.1) from 08:00:27:03:d3:23 (venus) via enp0s8
> Dec 20 20:55:58 pluto dhcpd[1129]: DHCPACK on 192.168.10.128 to
> 08:00:27:03:d3:23 (venus) via enp0s8
>
> No entries at all in named.log now that it's started not making dynamic
> updates at all. The named.log shows startup messages, and nothing else.
That would be normal - once the DNS is updated, dhcpd won't send further
updates until something changes - such as a lease timing out or being released.
You could either release the lease from the client, let it expire, or shut down
dhcpd and manually remove the DNS entries from the lease.
What we're looking for is to see if dhcpd tries to update and fails, or doesn't
try at all.
> As to the name server, it would be pluto actually, not jupiter.
Oops, my mistake there.
> I don't know what's up, but there's no update of DNS at all right now. I'm
> stumped. As far as I can tell, all is fine in the config.
Yes, it all looks fine and should "just work automagically"
What should happen is dhcpd looks up the SOA record for the zone (sorry, I
should have asked for that rather than NS records) to find the primary
authoritative name server for the relevant zone - it will then send updates to
that server. I can see from your previous message that pluto is given in both
zones - so both updates should work. As far as I can see, everything is setup
correctly for this to work.
There is an argument for using signed zone updates - but IMO that's not really
necessary for a small home setup like this. There you define a key, add zone
directives to the dhcp config, and reference the key (rather than an IP based
ACL) in the allow updates directives in your dns setup.
Simon
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 146, Issue 9
******************************************
