On Tue, 13 Jan 2015, Petr Spacek wrote:
On 13.1.2015 14:52, Mike wrote:
Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I
don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also
not sure if TSIG the best, or only way to go.
All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved,
IPA server and dhcpd are running on the same VM.
I followed guide here:
http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
with one exception, I used "grant dhcpupdate zonesub A;" in the ipa
dnszone-mod command.
To test I did this:
nsupdate -k /tmp/testkey
update add newhost.inside.lan 86400 A 10.16.1.99
send
nsupdate works as expected, both forward and reverse records are added.
However updates from dhcpd are rejected, here's a snippet from two log files.
Oh and raising the trace level with 'rndc trace 9' didn't reveal anything
useful (to me anyway).
tail -f /var/log/messages /var/named/data/named.run
==> /var/named/data/named.run <==
12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone
'inside.lan/IN': update failed: rejected by secure update (REFUSED)
==> /var/log/messages <==
Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate:
updating zone 'inside.lan/IN': update failed: rejected by secure update
(REFUSED)
Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203
Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7
(nas2) via eth0
Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2)
via eth0
Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to
10.16.1.203: REFUSED
dhcpd is supposed to do the same thing as nsupdate so this is weird.
You can increase log level in BIND to 8:
$ rndc trace 8
to get more information about the failure
Alternative is to use tcpdump/wireshark and compare packages send by nsupdate
and dhcpd to see where the difference is.
Feel free to send me packet captures privately if you don't want to post them
to mailing list.
Have a nice day!
Petr - Thanks for the suggestion, that helped me solve the problem.
Turns out the difference is that dhcpd is also trying to add a TXT record
which nsupdate was not (because I didn't tell it to). So adding "grant
dhcpupdate zonesub TXT;" to the "ipa dnszone-mod" command fixes the
problem.
Actually it appears as though dhcpd tries to add a PTR record if the A and
TXT are successful. So I think I need to add "grant dhcpupdate zonesub
PTR;" to be complete.
-- Thanks again, Mike
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
