On Wed, 09 Sep 2015, John Keates wrote:
So I was having a DNS mess the other day and decided to clean it up.
Before, I was running Unbound on pfSense which then had a domain
override to the IPA box. It would forward all queries and IPA-wise all
was well.  Problem was that the domain was also used for a bunch of
other things, like the outside world, and DHCP leases, because I want
to be able to FQDN my machines and VM’s.

At first, I thought I could somehow make a weird multi-master setup, or
have Unbound rewrite queries or selectively forward or ignore the
authoritative status of DNS servers, but that’s a rather nasty hackish
way to attempt to fix things, so I went for the option to have DHCPd
feed it’s leases and updates to BIND, and make Unbound the 2nd DNS
server in case of an IPA meltdown.

This turned out to be not-so-easy as you can’t use GSSAPI on the
pfSense box and the IPA interface doesn’t allow you to create keys just
like that. Solution? Manual edits!  Now, I’m not sure if they will be
preserved, but since I was using SaltStack to manage pretty much
everything config-wise, I just make sure it keeps my settings around.

Here is how to configure things:


1. Open /etc/named.conf in a root editor
2. Insert a key like this:

key "dhcp-key" {
  algorithm   hmac-md5;
  secret        “base64_string_here=";

Where the string “dhcp-key” can be anything, but you should remember
what you put in there.  The Secret is a base64 string, if you are
slightly clueless about that, use: echo “yoursecrethere” | base64
and you will get your base64 string. Stick it in between the quotes and
you’re good.

3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP 
dynamically push to.
4. Click settings and turn on “Dynamic update” if it’s not on already
5. Add an update policy, in this format:

grant dhcp-key wildcard * ANY;

This is rather insecure as you give anything that authenticates using
the key called “dhcp-key” full update rights for all types on that
zone.  So if you want to restrict it, do so as you please. I believe it
at least wants A and AAAA records and probably TXT.

6. Click the update button and you are all set on this end. Note: if
you want to have reverse lookups as well, you have to repeat step 5 for
the reverse zone too!


1. In pfSense, go to the DHCP server page
2. Enable "Enable registration of DHCP client names in DNS.”
3. Enter the domain name of the zone you configured in IPA for dynamic updates
4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key 
in this example) and the base64 string you generated
5. Press save and you’re good!

A few extra’s:

- You could add IPA as an NTP server here as well
- You should add the IPA server as the 1st DNS server
- You can add pfSense as the 2nd DNS server if you like

Please remember that at this point no DNS-related stuff on pfSense is
used anymore as all clients will talk to IPA for their DNS needs from
now on.  If all you need is the one domain name, for example, if you
use a unique domain just for internal IPA use, you’re better off using
the domain override.

I hope this helps someone, and might work as a basis for more robust
and secure configuration, as this is something I just came up with
today in a test environment.
This looks reasonable. You may want to put your key definition into something 
/etc/named/my-dhcp-keys.conf and include it from there via 'include'
statements but I think we don't upgrade named.conf after it was
originally created.

John, could you please add this to FreeIPA wiki?
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to