Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. DHCP - DDNS Update (Jeremey Wise)
----------------------------------------------------------------------
Message: 1
Date: Tue, 25 Apr 2023 15:47:35 +0000
From: Jeremey Wise <jere...@cdw.com>
To: "dhcp-users@lists.isc.org" <dhcp-users@lists.isc.org>
Subject: DHCP - DDNS Update
Message-ID:
<bn7pr03mb4482fb68f55863496f3a741cb0...@bn7pr03mb4482.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Greetings, and sorry up front for large email. But joining this forum and
wanted to be comprehensive in my posting. I googled around and seems I am not
the only one with questions on how to do this task, as things have changed with
certs and updates. Hopefully this email formats in a means to make it easy for
others to review and toss out ideas / links to where I can RTFM.
I am being tasked to help out with a POC / Demo lab. It is a pair of VMs,
running Ubuntu 22.04 fully updated / patched.
###
dnsuser@ps-dns-01:~$ named -v
BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
dnsuser@ps-dns-01:~$ apt list |grep dhcp
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
dhcp-helper/jammy 1.2-3 amd64
dhcp-probe/jammy 1.3.0-10.1build2 amd64
dhcpcanon/jammy 0.8.5-2 all
dhcpcd-dbus/jammy 0.6.1-2 amd64
dhcpcd-gtk/jammy 0.7.8-1 amd64
dhcpcd5/jammy 7.1.0-2build1 amd64
dhcpd-pools/jammy 2.29-1.1 amd64
dhcpdump/jammy 1.8-2.2 amd64
dhcpig/jammy 1.5-3 all
dhcping/jammy 1.2-5 amd64
dhcpoptinj/jammy 0.5.3-1 amd64
dhcpstarv/jammy 0.2.2-2 amd64
dhcpy6d/jammy 1.0.7-1 all
freeradius-dhcp/jammy-updates,jammy-security
3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 amd64
fusiondirectory-plugin-dhcp-schema/jammy 1.3-4build1 all
fusiondirectory-plugin-dhcp/jammy 1.3-4build1 all
golang-github-d2g-dhcp4-dev/jammy 0.0~git20150413-3 all
golang-github-d2g-dhcp4client-dev/jammy 1.0.0-2 all
golang-github-insomniacslk-dhcp-dev/jammy 0.0~git20200621.d74cd86-1 all
golang-github-mdlayher-dhcp6-dev/jammy 0.0~git20190311.2a67805-2 all
gosa-plugin-dhcp-schema/jammy 2.7.4+reloaded3-16build1 all
gosa-plugin-dhcp/jammy 2.7.4+reloaded3-16build1 all
isc-dhcp-client-ddns/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-client/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed,automatic]
isc-dhcp-common/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed,automatic]
isc-dhcp-dev/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-relay/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-server-ldap/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-server/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed]
kea-dhcp-ddns-server/jammy 2.0.2-1 amd64
kea-dhcp4-server/jammy 2.0.2-1 amd64
kea-dhcp6-server/jammy 2.0.2-1 amd64
libnet-dhcp-perl/jammy 0.696+dfsg-1 all
libnet-dhcpv6-duid-parser-perl/jammy 1.01-2.1 all
librust-dhcp4r-dev/jammy 0.2.0-1 amd64
libtext-dhcpleases-perl/jammy 1.0-2.1 all
neutron-dhcp-agent/jammy-updates 2:20.2.0-0ubuntu1 all
opendrim-lmp-dhcp/jammy 1.0.0-0ubuntu2 amd64
python3-isc-dhcp-leases/jammy 0.9.1-2 all
udhcpc/jammy 1:1.30.1-7ubuntu3 amd64
udhcpd/jammy 1:1.30.1-7ubuntu3 amd64
wide-dhcpv6-client/jammy 20080615-23build1 amd64
wide-dhcpv6-relay/jammy 20080615-23build1 amd64
wide-dhcpv6-server/jammy 20080615-23build1 amd64
dnsuser@ps-dns-01:~$
###
Goal:
1. HA DNS and DHCP (failover / fail back)
2. DDNS updates from registered DHCP clients for PTR and A records (ipv4
only for now)
Issues:
1. Getting flooding in /var/log/syslog , every update ..
###
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.129 to
00:50:56:97:2b:f7 (op-web2) via 10.89.132.1
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.129 from
dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: Unable to add forward map from
op-web2.ps.labs.local to 10.89.132.129: REFUSED
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130 from
00:50:56:97:df:98 (easytravel) via ens160
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to
00:50:56:97:df:98 (easytravel) via ens160
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130 from
00:50:56:97:df:98 (easytravel) via 10.89.132.1
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to
00:50:56:97:df:98 (easytravel) via 10.89.132.1
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130 from
dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130 from
dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: Unable to add forward map from
easytravel.ps.labs.local to 10.89.132.130: REFUSED
Apr 25 14:51:38 ps-dns-02 named[184617]: client @0x7f20082400b8
10.89.132.90#50112 (mdbrtr-cisco-assist-00-ps-labs-local-svc): query (cache)
'mdbrtr-cisco-assist-00-ps-labs-local-svc/AAAA/IN' denied (allow-query-cache
did not match)
Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: reuse_lease: lease age 122 (secs)
under 25% threshold, reply with unaltered, existing lease for 10.89.135.132
Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.135.132 from
00:50:56:8b:a5:85 via ens160
###
Similar posting was made with note that this would require configuration file
review for what was / is misconfigured:
https://dhcp-users.isc.narkive.com/KngCfNx3/rejected-incoming-update-is-less-critical-than-outgoing-update
As such below is sample of zone and DHCP /DNS configuration.
I read through documents https://kb.isc.org/docs/aa-01588 But did not see
where their is misconfiguration in my configurations.
cat /etc/dhcp/dhcpd.conf
ps-dns-01 ps-dns-02
# option definitions common to all supported networks...
option domain-name "ps.labs.local";
option domain-search "ps.labs.local";
option domain-name-servers 10.89.100.152, 10.89.100.153;
option time-offset -6;
option ntp-servers 10.89.66.1;
option time-servers 10.89.66.1;
#ddns-domainname "ps.labs.local";
default-lease-time 600;
max-lease-time 7200;
# Failover declaration
failover peer "dhcpfailover" {
primary; # primary server declaration
address 10.89.100.152;
port 647;
peer address 10.89.100.153;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}
key pslabslocal {
secret cHNsYWJzbG9jYWw=;
algorithm hmac-md5;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style standard;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology. This is for local NIC
listening to dhcp broadcasts.
subnet 10.89.100.0 netmask 255.255.255.0 {
}
# ps_labs_local_infrastructure
subnet 10.89.128.0 netmask 255.255.255.0 {
}
# hx06 dynamic
subnet 10.89.130.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.130.1;
pool {
failover peer "dhcpfailover";
range 10.89.130.10 10.89.130.254;
}
}
# hx07 dynamic
subnet 10.89.132.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.132.1;
pool {
failover peer "dhcpfailover";
range 10.89.132.10 10.89.132.254;
}
}
# UCSX dynamic
subnet 10.89.134.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.134.1;
pool {
failover peer "dhcpfailover";
range 10.89.134.10 10.89.134.254;
}
}
# The following three network are for Tanzu work in hx06
# Update 20221004 by JW. Data is all static as is mgmt. Workload is all DHCP
# subnet 10.89.135.0 netmask 255.255.255.224
# k8s-tz-data-hx06 dynamic
subnet 10.89.135.0 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.1;
pool {
failover peer "dhcpfailover";
range 10.89.135.2 10.89.135.30;
}
}
# k8s-tz-workload-hx06 dynamic
subnet 10.89.135.32 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.33;
pool {
failover peer "dhcpfailover";
range 10.89.135.34 10.89.135.63;
}
}
# k8s-tz-mgmt-hx06 dynamic
subnet 10.89.135.64 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.65;
pool {
failover peer "dhcpfailover";
range 10.89.135.66 10.89.135.94;
}
}
# k8s-ocp-data-hx06
subnet 10.89.135.96 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.97;
pool {
failover peer "dhcpfailover";
range 10.89.135.98 10.89.135.126;
}
}
# k8s-ocp-workload-hx06
subnet 10.89.135.128 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.129;
pool {
failover peer "dhcpfailover";
range 10.89.135.130 10.89.135.158;
}
}
# k8s-rke-mgmt-hx06
subnet 10.89.135.160 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.161;
pool {
failover peer "dhcpfailover";
range 10.89.135.162 10.89.135.190;
}
# ocpbastion
host ocpbastion {
hardware ethernet 00:50:56:8b:db:a4;
fixed-address 10.89.135.190;
}
}
# k8s-rke-data-hx06
subnet 10.89.135.192 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.194 10.89.135.222;
}
}
# k8s-rke-workload-hx06
subnet 10.89.135.224 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.225;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.226 10.89.135.253;
}
}
# Host reservations
host tanzuprod-service-control-plane-bbwwb {
hardware ethernet 00:50:56:8b:71:bf;
fixed-address 10.89.135.48;
}
<snip>
host tanzuprod-workload-control-plane-zvm6t {
hardware ethernet 00:50:56:8b:75:83;
fixed-address 10.89.135.50;
}
# DV Presales Lab
zone ps.labs.local. {
primary 10.89.100.152;
key pslabslocal;
}
# option definitions common to all supported networks...
option domain-name "ps.labs.local";
option domain-search "ps.labs.local";
option domain-name-servers 10.89.100.152, 10.89.100.153;
option time-offset -6;
option ntp-servers 10.89.66.1;
option time-servers 10.89.66.1;
#ddns-domainname "ps.labs.local";
default-lease-time 600;
max-lease-time 7200;
# Failover declaration
failover peer "dhcpfailover" {
secondary; # secondary server declaration
address 10.89.100.153;
port 647;
peer address 10.89.100.152;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
load balance max seconds 3;
}
key pslabslocal {
secret cHNsYWJzbG9jYWw=;
algorithm hmac-md5;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style standard;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology. This is for local NIC
listening to dhcp broadcasts.
subnet 10.89.100.0 netmask 255.255.255.0 {
}
# ps_labs_local_infrastructure
subnet 10.89.128.0 netmask 255.255.255.0 {
}
# hx06 dynamic
subnet 10.89.130.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.130.1;
pool {
failover peer "dhcpfailover";
range 10.89.130.10 10.89.130.254;
}
}
# hx07 dynamic
subnet 10.89.132.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.132.1;
pool {
failover peer "dhcpfailover";
range 10.89.132.10 10.89.132.254;
}
}
# UCSX dynamic
subnet 10.89.134.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.134.1;
pool {
failover peer "dhcpfailover";
range 10.89.134.10 10.89.134.254;
}
}
# The following three network are for Tanzu work in hx06
# Update 20221004 by JW. Data is all static as is mgmt. Workload is all DHCP
# subnet 10.89.135.0 netmask 255.255.255.224
# k8s-tz-data-hx06 dynamic
subnet 10.89.135.0 netmask 255.255.255.224 {
ddns-updates on;
option domain-name-servers 10.89.100.152;
option routers 10.89.135.1;
pool {
failover peer "dhcpfailover";
range 10.89.135.2 10.89.135.30;
}
}
# k8s-tz-workload-hx06 dynamic
subnet 10.89.135.32 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.33;
pool {
failover peer "dhcpfailover";
range 10.89.135.34 10.89.135.63;
}
}
# k8s-tz-mgmt-hx06 dynamic
subnet 10.89.135.64 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.65;
pool {
failover peer "dhcpfailover";
range 10.89.135.66 10.89.135.94;
}
}
# k8s-ocp-data-hx06
subnet 10.89.135.96 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.97;
pool {
failover peer "dhcpfailover";
range 10.89.135.98 10.89.135.126;
}
}
# k8s-ocp-workload-hx06
subnet 10.89.135.128 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.129;
pool {
failover peer "dhcpfailover";
range 10.89.135.130 10.89.135.158;
}
}
# k8s-rke-mgmt-hx06
subnet 10.89.135.160 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.161;
pool {
failover peer "dhcpfailover";
range 10.89.135.162 10.89.135.190;
}
}
# k8s-rke-data-hx06
subnet 10.89.135.192 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.194 10.89.135.222;
}
}
# k8s-rke-workload-hx06
subnet 10.89.135.224 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.225;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.226 10.89.135.253;
}
}
# Host reservations
host tanzuprod-service-control-plane-bbwwb {
hardware ethernet 00:50:56:8b:71:bf;
fixed-address 10.89.135.48;
}
<snip>
host tanzuprod-workload-control-plane-zvm6t {
hardware ethernet 00:50:56:8b:75:83;
fixed-address 10.89.135.50;
}
# DV Presales Lab
zone ps.labs.local. {
primary 10.89.100.152;
key pslabslocal;
}
dnsuser@ps-dns-02:~$
DDNS
cat /etc/bind/named.conf
ps-dns-01 ps-dns-02
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
server 10.89.9.10 {
};
server 10.89.9.107 {
};
key pslabslocal {
algorithm hmac-md5;
secret "c<snip>w=";
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key pslabslocal {
algorithm hmac-md5;
secret "c<snip>w=";
};
server 10.89.100.153 {
transfer-format many-answers;
keys {
pslabslocal;
};
};
" /etc/bind/named.conf.options"
listen-on-v6 { any; };
forwarders {
10.89.9.10;
10.89.9.107;
};
recursion yes;
allow-query {
any;
};
allow-recursion {
any;
};
};
"/etc/bind/named.conf.options"
options {
directory "/var/cache/bind";
listen-on-v6 { any; };
};
"/etc/bind/named.conf.local"
zone "ps.labs.local" {
type master;
file "/var/lib/bind/ps.labs.local.hosts";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "128.89.10.in-addr.arpa" {
type master;
file "/var/lib/bind/10.89.128.rev";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "129.89.10.in-addr.arpa" {
type master;
file "/var/lib/bind/10.89.129.rev";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
<snip other zones but all structured same>
"/etc/bind/named.conf.local"
zone "130.89.10.in-addr.arpa" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/10.89.130.rev";
};
zone "ps.labs.local" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/ps.labs.local.hosts";
};
zone "128.89.10.in-addr.arpa" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/10.89.128.rev";
};
<snip other zones but all structured same>
"/etc/bind/named.conf.default-zones"
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
"/etc/bind/named.conf.default-zones"
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Questions:
1. What is missconfigured to get flood of events about DHCP cache?
2. Why are not DHCP leases pushing updates to DNS to create recoreds (A and
PTR)
3. I see almost no logs as I boot up test Vm. and get lease.. as to attempts
to create from DHCP to DNS .. Where are the logs for these to track down DDNS
communication.
4. DNS server on replica is not a flat file but a binary hash replica. In
event of failover (Ex: ps-dns-01) goes offline..) , how would DHCP push via
DDNS update records of server?
Thanks,
Penguinpages
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/dhcp-users/attachments/20230425/82d1f210/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 173, Issue 2
******************************************
