Hi all We use Kea in production with DDNS and two different DNS servers depending on the network:
- Bind is updated with a TSIG key
- AD DNS is updated with a bash script :
* launched by the 'run script' hook
* on lease commit, release and expire
* only for concerned zones
* using nsupdate with a keytab (kerberos not configured)
We'd like to move to the GSS-TSIG hook so I configured kea-dhcp-ddns reusing
the keytab and credentials cache used with nsupdate[1].
First, I wonder if I can still update bind through a simple TSIG key.
Then, I get an undocumented error I don't understand when restarting the
service:
————
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: ERROR
[kea-dhcp-ddns.callouts.140342135654272] HOOKS_CALLOUT_ERROR error returned by
callout on hook d2_srv_configured registered by library with index 1 (callout
address 0x7fa3f0593e90) (callout duration 0.064 ms)
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: ERROR
[kea-dhcp-ddns.dhcpddns.140342135654272] DHCP_DDNS_CONFIGURED_CALLOUT_DROP
configuration was rejected because a callout set the next step to 'drop':
gss_tsig config mismatch: server info can't be found
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: FATAL
[kea-dhcp-ddns.dctl.140342135654272] DCTL_CONFIG_FILE_LOAD_FAIL DhcpDdns
reason: gss_tsig config mismatch: server info can't be found
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: Service failed: Could Not
load configuration file: gss_tsig config mismatch: server info can't be found
And finaly I wonder if any anyone would have done the same king of thing and if
I could get help? I can't find my way through the documentation :(
Cheers.
————
[1] /etc/kea/kea-dhcp-ddns.conf:
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea-ddns-ctrl-socket"
},
"tsig-keys": [
{ "name": "DDNS_UPDATE",
"algorithm": "HMAC-SHA256",
"secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
],
"forward-ddns" : {
"ddns-domains": [
{"name": "bind_zone.", "key-name": "DDNS_UPDATE",
"dns-servers": [{"ip-address": "10.20.30.40"}]}
{"name": "ad_zone.", "dns-servers": [{"ip-address":
"10.50.60.70"}]} // this is new
]
},
"hooks-libraries": [ // and all this is new too
{
"library":
"/usr/lib/x86_64-linux-gnu/kea/hooks/libddns_gss_tsig.so",
"parameters": {
"server-principal": "DNS/ad_dns.ad_zone.tld@AD_ZONE.TLD",
"client-keytab": "FILE:/etc/kea/dnsupdate.keytab",
"credentials-cache": "FILE:/tmp/dhcp-dyndns.cc",
"fallback": true,
"servers": [
{
"id": "ad_dns",
"ip-address": "10.50.60.70",
"port": 53
}
]
}
}
],
"loggers": […]
}
}
--
Olivier LE MONNIER ⏚
–
Direction du système d'information > Systèmes
UNICAEN | Université de Caen Normandie
–
+33(0) 2 31 56 62 09 (en interne 62 09)
smime.p7s
Description: S/MIME Cryptographic Signature
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
