Hey,
It looks like you it refuses to let you update, looking at your BIND (DNS)
configuration, you define the 172.16.4.0/22 network as 172.16.4.0/24 and
you try to add an address for 172.16.5.37, it's identical to having
172.16.4.0/24 only in your DHCP configuration and trying to add a static
lease to 172.16.5.37.
Try this:
zone "4-7.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.4-7.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
I also believe using "22/0.4.16.172.in-addr.arpa" should work as well
(depends on your BIND version)
If you don't need any special requirements, "theforeman/dhcp" and
"theforeman/dns" should be safe to use.
Erez.
On Friday, December 9, 2016 at 2:23:58 PM UTC+2, Daniele Gregori (E4) wrote:
>
> Hi Joop,
> Thanks for your answer.
> I suppose that I have a problem with the dns zone configuration
> because I’m a dns newbie, my idea is to configure a DNS only for internal
> LAN hostname resolution to use as primary and a secondary like 8.8.8.8 to
> resolv external name (this is my simple idea) .
>
>
> for the sake on completeness my dhcpd.conf is:
>
>
> [root@srv-install dynamic]# cat /etc/dhcp/dhcpd.conf
>
> # dhcpd.conf
>
> omapi-port 7911;
>
>
> default-lease-time 43200;
>
> max-lease-time 86400;
>
>
> ddns-update-style none;
>
>
> #option domain-name "e4srv";
>
> option domain-name-servers 172.16.2.2, 8.8.8.8;
>
> option ntp-servers none;
>
>
> allow booting;
>
> allow bootp;
>
>
> option fqdn.no<http://fqdn.no>-client-update on; # set the "O" and
> "S" flag bits
>
> option fqdn.rcode2 255;
>
> option pxegrub code 150 = text ;
>
>
>
> # PXE Handoff.
>
> next-server 172.16.2.2;
>
> filename "pxelinux.0";
>
>
> log-facility local7;
>
>
> include "/etc/dhcp/dhcpd.hosts";
>
>
> # e4srv
>
> subnet 172.16.2.0 netmask 255.255.255.0 {
>
> pool
>
> {
>
> range 172.16.2.170 172.16.2.210;
>
> }
>
>
> option subnet-mask 255.255.255.0;
>
> option routers 172.16.2.1;
>
> option domain-name "e4srv";
>
> }
>
>
> # e4prod
>
> subnet 172.16.4.0 netmask 255.255.252.0 {
>
> pool
>
> {
>
> range 172.16.5.170 172.16.5.210;
>
> }
>
>
> option subnet-mask 255.255.252.0;
>
> option routers 172.16.4.1;
>
> option domain-name "e4prod";
>
> }
>
> With 2 subnet and I have no errors with DHCP.
>
> So I try to configure DNS manually but I repeat I’m not a DNS expert so I
> changed the config files as follow:
>
>
>
> [root@srv-install dynamic]# cat /etc/named.conf
>
> // named.conf
>
>
> include "/etc/rndc.key";
>
>
> controls {
>
> inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
>
> };
>
>
> options {
>
> include "/etc/named/options.conf";
>
> };
>
>
> include "/etc/named.rfc1912.zones";
>
>
>
> // Public view read by Server Admin
>
> include "/etc/named/zones.conf";
>
> [root@srv-install dynamic]#
>
> This is the same configuration with one subnet/domain/zone.
>
> So I add the new zone as follow:
>
>
>
> [root@srv-install dynamic]# cat /etc/named/zones.conf
>
> #OLD ZONE:
>
> zone "2.16.172.in-addr.arpa" {
>
> type master;
>
> file "/var/named/dynamic/db.2.16.172.in-addr.arpa";
>
> update-policy {
>
> grant rndc-key zonesub ANY;
>
> };
>
> };
>
> zone "e4srv" {
>
> type master;
>
> file "/var/named/dynamic/db.e4srv";
>
> update-policy {
>
> grant rndc-key zonesub ANY;
>
> };
>
> };
>
> #NEW ZONE:
>
> zone "4.16.172.in-addr.arpa" {
>
> type master;
>
> file "/var/named/dynamic/db.4.16.172.in-addr.arpa";
>
> update-policy {
>
> grant rndc-key zonesub ANY;
>
> };
>
> };
>
> zone "e4prod" {
>
> type master;
>
> file "/var/named/dynamic/db.e4prod";
>
> update-policy {
>
> grant rndc-key zonesub ANY;
>
> };
>
> };
>
> [root@srv-install dynamic]#
>
>
>
> Included files are:
>
>
>
>
> [root@srv-install dynamic]# cat /var/named/dynamic/db.e4prod
>
> $ORIGIN e4prod.
>
> $TTL 10800 ; 3 hours
>
> e4prod. IN SOA srv-install.e4srv. root.e4hmgm. (
>
> 33 ; serial
>
> 86400 ; refresh (1 day)
>
> 3600 ; retry (1 hour)
>
> 604800 ; expire (1 week)
>
> 3600 ; minimum (1 hour)
>
> )
>
> NS srv-install.e4srv.
>
> [root@srv-install dynamic]#
>
>
> [root@srv-install dynamic]# cat
> /var/named/dynamic/db.4.16.172.in-addr.arpa
>
> $ORIGIN 4.16.172.in-addr.arpa.
>
> $TTL 10800 ; 3 hours
>
> 4.16.172.in-addr.arpa. IN SOA srv-install.e4srv.
> root.2.16.172.in-addr.arpa. (
>
> 31 ; serial
>
> 86400 ; refresh (1 day)
>
> 3600 ; retry (1 hour)
>
> 604800 ; expire (1 week)
>
> 3600 ; minimum (1 hour)
>
> )
>
> NS srv-install.e4srv.
>
> $TTL 86400 ; 1 day
>
>
> [root@srv-install dynamic]#
>
>
>
> The Old zones files are:
>
>
>
>
> [root@srv-install dynamic]# cat
> /var/named/dynamic/db.2.16.172.in-addr.arpa
>
> $ORIGIN .
>
> $TTL 10800 ; 3 hours
>
> 2.16.172.in-addr.arpa IN SOA srv-install.e4srv.
> root.2.16.172.in-addr.arpa. (
>
> 36 ; serial
>
> 86400 ; refresh (1 day)
>
> 3600 ; retry (1 hour)
>
> 604800 ; expire (1 week)
>
> 3600 ; minimum (1 hour)
>
> )
>
> NS srv-install.e4srv.
>
> $ORIGIN 2.16.172.in-addr.arpa.
>
> $TTL 86400 ; 1 day
>
> 171 PTR antani01.e4srv.
>
> 175 PTR nada.e4srv.
>
> 180 PTR fantasia.e4srv.
>
> 192 PTR cromo.e4srv.
>
> 196 PTR piopio.e4srv.
>
> 199 PTR gino.e4srv.
>
> 2 PTR srv-install.e4srv.
>
> 6 PTR mona.e4srv.
>
> [root@srv-install dynamic]#
>
>
>
> [root@srv-install dynamic]# cat /var/named/dynamic/db.e4srv
>
> $ORIGIN .
>
> $TTL 10800 ; 3 hours
>
> e4srv IN SOA srv-install.e4srv. root.e4srv. (
>
> 34 ; serial
>
> 86400 ; refresh (1 day)
>
> 3600 ; retry (1 hour)
>
> 604800 ; expire (1 week)
>
> 3600 ; minimum (1 hour)
>
> )
>
> NS srv-install.e4srv.
>
> $ORIGIN e4srv.
>
> $TTL 86400 ; 1 day
>
> antani01 A 172.16.2.171
>
> cromo A 172.16.2.192
>
> fantasia A 172.16.2.180
>
> gino A 172.16.2.199
>
> mona A 172.16.2.6
>
> nada A 172.16.2.175
>
> piopio A 172.16.2.196
>
> $TTL 10800 ; 3 hours
>
> srv-install A 172.16.2.2
>
> [root@srv-install dynamic]#
>
>
> With that configuration I can manually restart named without error.
> So in my foreman configuration I create the new domain, the new subnet, I
> added domain and subnet with the only DNS/DHCP/TFTP smart-proxy I have
> already defined (I use a single server for all service in my configuration,
> with a single interface IP network address).
>
> When I create the new node in the new network/domain I receive this error
> from /var/log/forema-proxy.proxy.log
>
> D, [2016-12-09T13:10:07.027729 #1082] DEBUG -- : verifying remote client
> 172.16.2.2 against trusted_hosts ["srv-install.e4srv"]
> D, [2016-12-09T13:10:07.028909 #1082] DEBUG -- : running /usr/bin/nsupdate
> -k /etc/rndc.key
> D, [2016-12-09T13:10:07.030624 #1082] DEBUG -- : nsupdate: executed -
> server 127.0.0.1
> D, [2016-12-09T13:10:07.030710 #1082] DEBUG -- : nsupdate: executed -
> update add 37.5.16.172.in-addr.arpa. 86400 PTR minion.e4prod
> D, [2016-12-09T13:10:07.048025 #1082] DEBUG -- : nsupdate: errors
> Answer:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;16.172.in-addr.arpa. IN SOA
>
>
>
> ;; TSIG PSEUDOSECTION:
>
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1481285407 300 16
> rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
>
>
>
> E, [2016-12-09T13:10:07.048322 #1082] ERROR -- : Update errors: Answer:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;16.172.in-addr.arpa. IN SOA
>
>
>
> ;; TSIG PSEUDOSECTION:
>
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1481285407 300 16
> rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
>
>
>
> D, [2016-12-09T13:10:07.048366 #1082] DEBUG -- : Update errors: Answer:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;16.172.in-addr.arpa. IN SOA
>
>
>
> ;; TSIG PSEUDOSECTION:
>
> rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1481285407 300 16
> rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
>
>
> (Proxy::Dns::Error)
>
>
>
>
> Maybe there is something wrong in dns config but I don’t understand what.
> Any hint ?
>
>
> Another point, what do you mean, with:
>
>
> You can ofcourse add the foreman puppet modules to your puppet
> environment, import then and then use them on the foreman master to add
> the new subnets/domains :-)
>
> Your idea is to install a puppet class/module from forge to manage DNS
> server? Do you know a good one?
>
>
> Thanks
>
> Daniele
>
>
> Il giorno 09 dic 2016, alle ore 11:14, jvandewege <[email protected]
> <javascript:><mailto:[email protected] <javascript:>>> ha scritto:
>
> On 7-12-2016 16:43, Daniele Gregori (E4) wrote:
> Hi all,
> I’m in trouble with my foreman server, this system manages many clients
> that are connected to different subnet, see the link for a skatch of the
> network:
>
> https://s24.postimg.org/dr7ba31s5/Vlan_Routing.jpg
>
> The foreman server has just one interface enabled to reach every other
> subnets and I want to use it to provision every client.
>
> I defined dhcp, tftp and dns proxy for the first subnet during the
> provisioning setup and I’m able to provision client on this subnet.
> Later I defined a new domain and a new subnet associate to the same
> proxy-server for dns/dhcp/tftp of the first subnet but when I try create a
> new host I receive this error message from the GUI:
>
>
> Do you have the definition of the new subnets in your dhcp server and
> dns server?
> Provisioning setup does one subnet/domain only so if you define new
> subnets/domains within Foreman then you also need to define those in
> your dns config and in the dhcpd config.
> You can ofcourse add the foreman puppet modules to your puppet
> environment, import then and then use them on the foreman master to add
> the new subnets/domains :-)
>
> Joop
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:><mailto:
> [email protected] <javascript:>>.
> To post to this group, send email to [email protected]
> <javascript:><mailto:[email protected] <javascript:>>.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
