Hi there,
I have successfully configured KEA-DHCP4 and KEA-DHCP6 for homelab use.
IPv4 and IPv6 addresses are assigned as per configuration (some via
reservations, some via pools). It runs together with BIND9 as DNS. Static
BIND9 works fine for IPv4 and IPv6 (forward and reverse). I amended the
configuration for dynamic DNS updates.
Current result:
DDNS works fine for IPv4. The journal file was created by BIND9. 'A'
records for IPv4 are being written into 'db.local.markert.live' and
corresponding 'PTR' records for IPv4 are being written into 'db.192.168'.
However, no 'AAAA' records are being written into 'db.local.markert.live'
and no corresponding 'PTR' records for IPv6 are being written into
'db.fd00.192.168'.
Expected result:
'A' and 'AAAA' records are being written into 'db.local.markert.live',
'PTR' records for IPv6 are being written into 'db.fd00.192.168' and 'PTR'
records for IPv4 are being written into 'db.192.168'.
For further configuration and logging details, please see information below.
Any idea why I am facing this issue?
Help would be highly appreciated. I am actually not sure whether this is a
KEA or BIND9 issue, so if this should be moved to the BIND mailing list,
could you please let me know.
Thank you.
Best,
C.
Additional Information:
1. Configuration for BIND9/KEA:
1.1 named.conf.local
include "/etc/bind/dhcp-vmhomeserver.key";
zone "local.markert.live" {
type primary;
file "/var/lib/bind/zones/db.local.markert.live"; // zone file
local.markert.live
update-policy {
grant dhcp-vmhomeserver wildcard *.local.markert.live A AAAA DHCID; //
IPv4 and IPv6 updates
};
};
zone "168.192.in-addr.arpa" {
type primary;
file "/var/lib/bind/zones/db.192.168"; // zone file reverse
192.168.0.0/24 (IPv4)
update-policy {
grant dhcp-vmhomeserver wildcard *.168.192.in-addr.arpa PTR DHCID; //
IPv4 updates
};
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa" {
type primary;
file "/var/lib/bind/zones/db.fd00.192.168"; // zone file reverse
fd00:192:168::/48 (IPv6)
update-policy {
grant dhcp-vmhomeserver wildcard
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa
PTR DHCID; // IPv6 updates
};
};
logging {
channel default_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "/var/log/bind/dnssec.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "/var/log/bind/ddns.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnstap_log {
file "/var/log/bind/default.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel queries_log {
file "/var/log/bind/queries.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel query-errors_log {
file "/var/log/bind/query-errors.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
channel default_debug {
file "/var/log/bind/debug.log" versions 10 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
category default { default_log; default_debug; };
category config { default_log; default_debug; };
category dispatch { default_log; default_debug; };
category network { default_log; default_debug; };
category general { default_log; default_debug; };
category zoneload { default_log; default_debug; };
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
category dnssec { dnssec_log; default_debug; };
category notify { default_log; default_debug; };
category xfer-in { default_log; default_debug; };
category xfer-out { default_log; default_debug; };
category update{ ddns_log; default_debug; };
category update-security { ddns_log; default_debug; };
category client{ default_log; default_debug; };
category security { default_log; default_debug; };
category rate-limit { default_log; default_debug; };
category spill { default_log; default_debug; };
category database { default_log; default_debug; };
category rpz { default_log; default_debug; };
category dnstap { default_log; default_debug; };
category trust-anchor-telemetry { default_log; default_debug; };
category queries { queries_log; };
category query-errors {query-errors_log; };
};
1.2 named.conf.options
acl "trusted" {
192.168.0.0/24;
fd00:192:168::/48;
};
options {
directory "/var/cache/bind";
recursion yes; # enables recursive queries
allow-recursion { trusted; }; # allows recursive queries from
"trusted" clients
listen-on { 192.168.3.1; }; # nameserver private IPv4 address -
listen on private network only
listen-on-v6 { fd00:192:168:3::1; }; # nameserver private IPv6
address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
allow-update { !{ !trusted; any; }; key dhcp-vmhomeserver. ; };
forwarders {
8.8.8.8;
1.1.1.1;
2001:4860:4860::8888;
2606:4700:4700::1111;
};
dnssec-validation auto;
listen-on-v6 { any; };
};
1.3 kea-dhcp-ddns.conf
{
"DhcpDdns":
{
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea-ddns-ctrl-socket"
},
<?include "/etc/kea/tsig-keys.json"?>
"forward-ddns" : {
"ddns-domains" : [
{
"name": "local.markert.live.",
"key-name": "dhcp-vmhomeserver",
"dns-servers": [
{
"ip-address": "fd00:192:168:3::1"
},
{
"ip-address": "192.168.3.1"
}
]
}
]
},
"reverse-ddns" : {
"ddns-domains" : [
{
"name": "168.192.in-addr.arpa.",
"key-name": "dhcp-vmhomeserver",
"dns-servers": [
{ "ip-address": "192.168.3.1" }
]
},
{
"name":
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa.",
"key-name": "dhcp-vmhomeserver",
"dns-servers": [
{ "ip-address": "fd00:192:168:3::1" }
]
}
]
},
"loggers": [
{
"name": "kea-dhcp-ddns",
"severity": "DEBUG",
"debuglevel": 99,
"output_options": [
{
"output": "/var/log/kea/dhcp-ddns.log",
//"pattern": "%-5p %m\n",
"maxver": 10
}
]
}
]
}
}
1.4 /var/lib/bind/zones:
-rw-r--r-- 1 bind bind 1555 Apr 26 23:10 db.192.168
-rw-r--r-- 1 bind bind 1980 Apr 26 23:10 db.192.168.jnl
-rw-r--r-- 1 bind bind 1479 Apr 24 04:05 db.fd00.192.168
-rw-r--r-- 1 bind bind 1545 Apr 26 23:10 db.local.markert.live
-rw-r--r-- 1 bind bind 2200 Apr 26 23:10 db.local.markert.live.jnl
1.5 usr.sbin.named (in /etc/apparmor.d)
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
profile named /usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of
it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/*.cnf r,
/etc/ssl/*.conf r,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# named need to check if hugepages is available
/sys/kernel/mm/transparent_hugepage/enabled r,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# dyndb backends
/usr/lib/bind/*.so rm,
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
owner /var/tmp/krb5_* rwk,
# systemd sd_notify
/run/systemd/notify w,
# Log-specific entries
owner /var/log/bind/* rwk,
# Dynamic Zone updates
owner /var/lib/bind/zones/* rwk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}
1.6 kea-dhcp4.conf / kea-dhcp6.conf
{
"Dhcp4":
{
"dhcp-ddns": {
"enable-updates": true
},
"ddns-replace-client-name": "when-not-present",
"ddns-qualifying-suffix": "local.markert.live",
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"hostname-char-set": "[^A-Za-z0-9.-]",
"hostname-char-replacement": "x",
.........
{
"Dhcp6":
{
"dhcp-ddns": {
"enable-updates": true
},
"ddns-replace-client-name": "when-not-present",
"ddns-qualifying-suffix": "local.markert.live",
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"hostname-char-set": "[^A-Za-z0-9.-]",
"hostname-char-replacement": "x",
.........
5. Logs
5.1 bind/debug.log
26-Apr-2025 22:58:22.162 zoneload: info: managed-keys-zone: loaded serial
557
26-Apr-2025 22:58:22.166 zoneload: info: zone 0.in-addr.arpa/IN: loaded
serial 1
26-Apr-2025 22:58:22.182 zoneload: info: zone 168.192.in-addr.arpa/IN:
loaded serial 39
26-Apr-2025 22:58:22.194 zoneload: info: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa/IN:
loaded serial 3
26-Apr-2025 22:58:22.194 notify: info: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa/IN:
sending notifies (serial 3)
26-Apr-2025 22:58:22.194 zoneload: info: zone 255.in-addr.arpa/IN: loaded
serial 1
26-Apr-2025 22:58:22.194 zoneload: info: zone 127.in-addr.arpa/IN: loaded
serial 1
26-Apr-2025 22:58:22.198 notify: info: zone 168.192.in-addr.arpa/IN:
sending notifies (serial 39)
26-Apr-2025 22:58:22.198 zoneload: info: zone local.markert.live/IN: loaded
serial 55
26-Apr-2025 22:58:22.198 zoneload: info: zone localhost/IN: loaded serial 2
26-Apr-2025 22:58:22.198 general: notice: all zones loaded
26-Apr-2025 22:58:22.198 general: notice: running
26-Apr-2025 22:58:23.410 lame-servers: info: timed out resolving
'./DNSKEY/IN': 2001:4860:4860::8888#53
26-Apr-2025 22:58:24.610 lame-servers: info: timed out resolving
'./DNSKEY/IN': 2606:4700:4700::1111#53
26-Apr-2025 22:58:24.622 dnssec: info: managed-keys-zone: Key 20326 for
zone . is now trusted (acceptance timer complete)
26-Apr-2025 22:58:24.622 dnssec: info: managed-keys-zone: Key 38696 for
zone . is now trusted (acceptance timer complete)
26-Apr-2025 22:58:32.206 resolver: notice: resolver priming query complete:
timed out
26-Apr-2025 22:58:57.855 update: info: client @0x7fea9b617168
fd00:192:168:3::1#49017/key dhcp-vmhomeserver: updating zone
'local.markert.live/IN': deleting an RR at debiansandbox.local.markert.live
A
26-Apr-2025 22:58:57.871 update: info: client @0x7feaa5041168
fd00:192:168:3::1#58907/key dhcp-vmhomeserver: updating zone
'local.markert.live/IN': delete all rrsets from name
'debiansandbox.local.markert.live'
26-Apr-2025 22:58:57.883 update: info: client @0x7feaa3e2c168
192.168.3.1#36757/key dhcp-vmhomeserver: updating zone
'168.192.in-addr.arpa/IN': delete all rrsets from name
'3.3.168.192.in-addr.arpa'
26-Apr-2025 22:58:57.891 notify: info: zone 168.192.in-addr.arpa/IN:
sending notifies (serial 40)
26-Apr-2025 22:58:59.163 update: info: client @0x7feaa025a168
fd00:192:168:3::1#41402/key dhcp-vmhomeserver: updating zone
'local.markert.live/IN': adding an RR at 'debiansandbox.local.markert.live'
A 192.168.3.3
26-Apr-2025 22:58:59.163 update: info: client @0x7feaa025a168
fd00:192:168:3::1#41402/key dhcp-vmhomeserver: updating zone
'local.markert.live/IN': adding an RR at 'debiansandbox.local.markert.live'
DHCID AAABK7khAndBJIqWUDuZaDDCuD7KTY8/4Jhb67R1a9+qSj8=
26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
'168.192.in-addr.arpa/IN': deleting rrset at '3.3.168.192.in-addr.arpa' PTR
26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
'168.192.in-addr.arpa/IN': deleting rrset at '3.3.168.192.in-addr.arpa'
DHCID
26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
'168.192.in-addr.arpa/IN': adding an RR at '3.3.168.192.in-addr.arpa' PTR
debiansandbox.local.markert.live.
26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
'168.192.in-addr.arpa/IN': adding an RR at '3.3.168.192.in-addr.arpa' DHCID
AAABK7khAndBJIqWUDuZaDDCuD7KTY8/4Jhb67R1a9+qSj8=
26-Apr-2025 22:59:02.891 notify: info: zone 168.192.in-addr.arpa/IN:
sending notifies (serial 41)
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
