Hi,
Looking at your BIND configuration, I would not immediately suspect a
BIND problem. Have you looked here: "/var/log/kea/dhcp-ddns.log" for
any error messages surrounding the addition of AAAA or ip6.arpa ?
Your BIND log excerpt does not show any of these record additions. If
you found no evidence of these in the BIND logs, then I'd start with
the aforementioned log file. If nothing found there then I'd head to
the kea-dhcp6 log file(s) to look for ddns related messages. You did
not include the kea-dhcp6 log configuration so I can't make a
recommendation regarding where to look for those logs.
You said this was a home lab. You might try temporarily allowing
updates from "any;" of any record type in your BIND server
configuration just to make sure it isn't some mistake in the security
policy you've defined.
Thank you,
Darren Ankney
On Sun, Apr 27, 2025 at 12:56 AM Christoph Markert <magg...@gmail.com> wrote:
>
> Hi there,
>
> I have successfully configured KEA-DHCP4 and KEA-DHCP6 for homelab use. IPv4
> and IPv6 addresses are assigned as per configuration (some via reservations,
> some via pools). It runs together with BIND9 as DNS. Static BIND9 works fine
> for IPv4 and IPv6 (forward and reverse). I amended the configuration for
> dynamic DNS updates.
>
> Current result:
> DDNS works fine for IPv4. The journal file was created by BIND9. 'A' records
> for IPv4 are being written into 'db.local.markert.live' and corresponding
> 'PTR' records for IPv4 are being written into 'db.192.168'. However, no
> 'AAAA' records are being written into 'db.local.markert.live' and no
> corresponding 'PTR' records for IPv6 are being written into 'db.fd00.192.168'.
>
> Expected result:
> 'A' and 'AAAA' records are being written into 'db.local.markert.live', 'PTR'
> records for IPv6 are being written into 'db.fd00.192.168' and 'PTR' records
> for IPv4 are being written into 'db.192.168'.
>
> For further configuration and logging details, please see information below.
>
> Any idea why I am facing this issue?
> Help would be highly appreciated. I am actually not sure whether this is a
> KEA or BIND9 issue, so if this should be moved to the BIND mailing list,
> could you please let me know.
>
> Thank you.
> Best,
> C.
>
>
> Additional Information:
>
> 1. Configuration for BIND9/KEA:
> 1.1 named.conf.local
> include "/etc/bind/dhcp-vmhomeserver.key";
>
> zone "local.markert.live" {
> type primary;
> file "/var/lib/bind/zones/db.local.markert.live"; // zone file
> local.markert.live
> update-policy {
> grant dhcp-vmhomeserver wildcard *.local.markert.live A AAAA DHCID; //
> IPv4 and IPv6 updates
> };
>
> };
>
> zone "168.192.in-addr.arpa" {
> type primary;
> file "/var/lib/bind/zones/db.192.168"; // zone file reverse
> 192.168.0.0/24 (IPv4)
> update-policy {
> grant dhcp-vmhomeserver wildcard *.168.192.in-addr.arpa PTR DHCID; //
> IPv4 updates
> };
> };
>
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa" {
> type primary;
> file "/var/lib/bind/zones/db.fd00.192.168"; // zone file reverse
> fd00:192:168::/48 (IPv6)
> update-policy {
> grant dhcp-vmhomeserver wildcard
> *.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa
> PTR DHCID; // IPv6 updates
> };
> };
>
>
>
> logging {
> channel default_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel auth_servers_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel dnssec_log {
> file "/var/log/bind/dnssec.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel zone_transfers_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel ddns_log {
> file "/var/log/bind/ddns.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel client_security_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel rate_limiting_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel rpz_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel dnstap_log {
> file "/var/log/bind/default.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
>
> channel queries_log {
> file "/var/log/bind/queries.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
>
> channel query-errors_log {
> file "/var/log/bind/query-errors.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity dynamic;
> };
>
>
> channel default_debug {
> file "/var/log/bind/debug.log" versions 10 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity dynamic;
> };
>
> category default { default_log; default_debug; };
> category config { default_log; default_debug; };
> category dispatch { default_log; default_debug; };
> category network { default_log; default_debug; };
> category general { default_log; default_debug; };
> category zoneload { default_log; default_debug; };
> category resolver { auth_servers_log; default_debug; };
> category cname { auth_servers_log; default_debug; };
> category delegation-only { auth_servers_log; default_debug; };
> category lame-servers { auth_servers_log; default_debug; };
> category edns-disabled { auth_servers_log; default_debug; };
> category dnssec { dnssec_log; default_debug; };
> category notify { default_log; default_debug; };
> category xfer-in { default_log; default_debug; };
> category xfer-out { default_log; default_debug; };
> category update{ ddns_log; default_debug; };
> category update-security { ddns_log; default_debug; };
> category client{ default_log; default_debug; };
> category security { default_log; default_debug; };
> category rate-limit { default_log; default_debug; };
> category spill { default_log; default_debug; };
> category database { default_log; default_debug; };
> category rpz { default_log; default_debug; };
> category dnstap { default_log; default_debug; };
> category trust-anchor-telemetry { default_log; default_debug; };
> category queries { queries_log; };
> category query-errors {query-errors_log; };
> };
>
> 1.2 named.conf.options
> acl "trusted" {
>
> 192.168.0.0/24;
> fd00:192:168::/48;
> };
>
> options {
> directory "/var/cache/bind";
>
> recursion yes; # enables recursive queries
> allow-recursion { trusted; }; # allows recursive queries from
> "trusted" clients
> listen-on { 192.168.3.1; }; # nameserver private IPv4 address -
> listen on private network only
> listen-on-v6 { fd00:192:168:3::1; }; # nameserver private IPv6
> address - listen on private network only
> allow-transfer { none; }; # disable zone transfers by default
> allow-update { !{ !trusted; any; }; key dhcp-vmhomeserver. ; };
>
> forwarders {
> 8.8.8.8;
> 1.1.1.1;
> 2001:4860:4860::8888;
> 2606:4700:4700::1111;
> };
>
> dnssec-validation auto;
>
> listen-on-v6 { any; };
> };
>
> 1.3 kea-dhcp-ddns.conf
> {
> "DhcpDdns":
> {
> "ip-address": "127.0.0.1",
> "port": 53001,
> "control-socket": {
> "socket-type": "unix",
> "socket-name": "/tmp/kea-ddns-ctrl-socket"
> },
>
> <?include "/etc/kea/tsig-keys.json"?>
>
> "forward-ddns" : {
> "ddns-domains" : [
> {
> "name": "local.markert.live.",
> "key-name": "dhcp-vmhomeserver",
> "dns-servers": [
> {
> "ip-address": "fd00:192:168:3::1"
> },
> {
> "ip-address": "192.168.3.1"
> }
> ]
> }
> ]
> },
>
> "reverse-ddns" : {
> "ddns-domains" : [
> {
> "name": "168.192.in-addr.arpa.",
> "key-name": "dhcp-vmhomeserver",
> "dns-servers": [
> { "ip-address": "192.168.3.1" }
> ]
> },
> {
> "name":
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa.",
> "key-name": "dhcp-vmhomeserver",
> "dns-servers": [
> { "ip-address": "fd00:192:168:3::1" }
> ]
> }
>
> ]
> },
>
> "loggers": [
> {
> "name": "kea-dhcp-ddns",
> "severity": "DEBUG",
> "debuglevel": 99,
> "output_options": [
> {
> "output": "/var/log/kea/dhcp-ddns.log",
> //"pattern": "%-5p %m\n",
> "maxver": 10
> }
> ]
> }
> ]
> }
> }
>
> 1.4 /var/lib/bind/zones:
> -rw-r--r-- 1 bind bind 1555 Apr 26 23:10 db.192.168
> -rw-r--r-- 1 bind bind 1980 Apr 26 23:10 db.192.168.jnl
> -rw-r--r-- 1 bind bind 1479 Apr 24 04:05 db.fd00.192.168
> -rw-r--r-- 1 bind bind 1545 Apr 26 23:10 db.local.markert.live
> -rw-r--r-- 1 bind bind 2200 Apr 26 23:10 db.local.markert.live.jnl
>
> 1.5 usr.sbin.named (in /etc/apparmor.d)
> # vim:syntax=apparmor
> # Last Modified: Fri Jun 1 16:43:22 2007
> #include <tunables/global>
>
> profile named /usr/sbin/named flags=(attach_disconnected) {
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
> capability net_bind_service,
> capability setgid,
> capability setuid,
> capability sys_chroot,
> capability sys_resource,
>
> # /etc/bind should be read-only for bind
> # /var/lib/bind is for dynamically updated zone (and journal) files.
> # /var/cache/bind is for slave/stub data, since we're not the origin of it.
> # See /usr/share/doc/bind9/README.Debian.gz
> /etc/bind/** r,
> /var/lib/bind/** rw,
> /var/lib/bind/ rw,
> /var/cache/bind/** lrw,
> /var/cache/bind/ rw,
>
> # Database file used by allow-new-zones
> /var/cache/bind/_default.nzd-lock rwk,
>
> # gssapi
> /etc/krb5.keytab kr,
> /etc/bind/krb5.keytab kr,
>
> # ssl
> /etc/ssl/*.cnf r,
> /etc/ssl/*.conf r,
>
> # root hints from dns-data-root
> /usr/share/dns/root.* r,
>
> # GeoIP data files for GeoIP ACLs
> /usr/share/GeoIP/** r,
>
> # dnscvsutil package
> /var/lib/dnscvsutil/compiled/** rw,
>
> # Allow changing worker thread names
> owner @{PROC}/@{pid}/task/@{tid}/comm rw,
>
> # named need to check if hugepages is available
> /sys/kernel/mm/transparent_hugepage/enabled r,
>
> @{PROC}/net/if_inet6 r,
> @{PROC}/*/net/if_inet6 r,
> @{PROC}/sys/net/ipv4/ip_local_port_range r,
> /usr/sbin/named mr,
> /{,var/}run/named/named.pid w,
> /{,var/}run/named/session.key w,
> # support for resolvconf
> /{,var/}run/named/named.options r,
>
> # some people like to put logs in /var/log/named/ instead of having
> # syslog do the heavy lifting.
> /var/log/named/** rw,
> /var/log/named/ rw,
>
> # gssapi
> /var/lib/sss/pubconf/krb5.include.d/** r,
> /var/lib/sss/pubconf/krb5.include.d/ r,
> /var/lib/sss/mc/initgroups r,
> /etc/gss/mech.d/ r,
>
> # ldap
> /etc/ldap/ldap.conf r,
> /{,var/}run/slapd-*.socket rw,
>
> # dynamic updates
> /var/tmp/DNS_* rw,
>
> # dyndb backends
> /usr/lib/bind/*.so rm,
>
> # Samba DLZ
> /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
> /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
> /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
> /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
> /var/lib/samba/bind-dns/dns.keytab rk,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/bind-dns/dns/** rwk,
> /var/lib/samba/private/dns.keytab rk,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /etc/samba/smb.conf r,
> /dev/urandom rwmk,
> owner /var/tmp/krb5_* rwk,
>
> # systemd sd_notify
> /run/systemd/notify w,
>
> # Log-specific entries
> owner /var/log/bind/* rwk,
>
> # Dynamic Zone updates
> owner /var/lib/bind/zones/* rwk,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.named>
> }
>
> 1.6 kea-dhcp4.conf / kea-dhcp6.conf
> {
> "Dhcp4":
> {
>
> "dhcp-ddns": {
> "enable-updates": true
> },
>
> "ddns-replace-client-name": "when-not-present",
> "ddns-qualifying-suffix": "local.markert.live",
> "ddns-override-client-update": true,
> "ddns-override-no-update": true,
>
> "hostname-char-set": "[^A-Za-z0-9.-]",
> "hostname-char-replacement": "x",
>
> .........
>
> {
>
> "Dhcp6":
> {
>
> "dhcp-ddns": {
> "enable-updates": true
> },
>
> "ddns-replace-client-name": "when-not-present",
> "ddns-qualifying-suffix": "local.markert.live",
> "ddns-override-client-update": true,
> "ddns-override-no-update": true,
>
> "hostname-char-set": "[^A-Za-z0-9.-]",
> "hostname-char-replacement": "x",
>
> .........
>
>
> 5. Logs
> 5.1 bind/debug.log
> 26-Apr-2025 22:58:22.162 zoneload: info: managed-keys-zone: loaded serial 557
> 26-Apr-2025 22:58:22.166 zoneload: info: zone 0.in-addr.arpa/IN: loaded
> serial 1
> 26-Apr-2025 22:58:22.182 zoneload: info: zone 168.192.in-addr.arpa/IN: loaded
> serial 39
> 26-Apr-2025 22:58:22.194 zoneload: info: zone
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa/IN:
> loaded serial 3
> 26-Apr-2025 22:58:22.194 notify: info: zone
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.1.0.2.9.1.0.0.0.d.f.ip6.arpa/IN:
> sending notifies (serial 3)
> 26-Apr-2025 22:58:22.194 zoneload: info: zone 255.in-addr.arpa/IN: loaded
> serial 1
> 26-Apr-2025 22:58:22.194 zoneload: info: zone 127.in-addr.arpa/IN: loaded
> serial 1
> 26-Apr-2025 22:58:22.198 notify: info: zone 168.192.in-addr.arpa/IN: sending
> notifies (serial 39)
> 26-Apr-2025 22:58:22.198 zoneload: info: zone local.markert.live/IN: loaded
> serial 55
> 26-Apr-2025 22:58:22.198 zoneload: info: zone localhost/IN: loaded serial 2
> 26-Apr-2025 22:58:22.198 general: notice: all zones loaded
> 26-Apr-2025 22:58:22.198 general: notice: running
> 26-Apr-2025 22:58:23.410 lame-servers: info: timed out resolving
> './DNSKEY/IN': 2001:4860:4860::8888#53
> 26-Apr-2025 22:58:24.610 lame-servers: info: timed out resolving
> './DNSKEY/IN': 2606:4700:4700::1111#53
> 26-Apr-2025 22:58:24.622 dnssec: info: managed-keys-zone: Key 20326 for zone
> . is now trusted (acceptance timer complete)
> 26-Apr-2025 22:58:24.622 dnssec: info: managed-keys-zone: Key 38696 for zone
> . is now trusted (acceptance timer complete)
> 26-Apr-2025 22:58:32.206 resolver: notice: resolver priming query complete:
> timed out
> 26-Apr-2025 22:58:57.855 update: info: client @0x7fea9b617168
> fd00:192:168:3::1#49017/key dhcp-vmhomeserver: updating zone
> 'local.markert.live/IN': deleting an RR at debiansandbox.local.markert.live A
> 26-Apr-2025 22:58:57.871 update: info: client @0x7feaa5041168
> fd00:192:168:3::1#58907/key dhcp-vmhomeserver: updating zone
> 'local.markert.live/IN': delete all rrsets from name
> 'debiansandbox.local.markert.live'
> 26-Apr-2025 22:58:57.883 update: info: client @0x7feaa3e2c168
> 192.168.3.1#36757/key dhcp-vmhomeserver: updating zone
> '168.192.in-addr.arpa/IN': delete all rrsets from name
> '3.3.168.192.in-addr.arpa'
> 26-Apr-2025 22:58:57.891 notify: info: zone 168.192.in-addr.arpa/IN: sending
> notifies (serial 40)
> 26-Apr-2025 22:58:59.163 update: info: client @0x7feaa025a168
> fd00:192:168:3::1#41402/key dhcp-vmhomeserver: updating zone
> 'local.markert.live/IN': adding an RR at 'debiansandbox.local.markert.live' A
> 192.168.3.3
> 26-Apr-2025 22:58:59.163 update: info: client @0x7feaa025a168
> fd00:192:168:3::1#41402/key dhcp-vmhomeserver: updating zone
> 'local.markert.live/IN': adding an RR at 'debiansandbox.local.markert.live'
> DHCID AAABK7khAndBJIqWUDuZaDDCuD7KTY8/4Jhb67R1a9+qSj8=
> 26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
> 192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
> '168.192.in-addr.arpa/IN': deleting rrset at '3.3.168.192.in-addr.arpa' PTR
> 26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
> 192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
> '168.192.in-addr.arpa/IN': deleting rrset at '3.3.168.192.in-addr.arpa' DHCID
> 26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
> 192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
> '168.192.in-addr.arpa/IN': adding an RR at '3.3.168.192.in-addr.arpa' PTR
> debiansandbox.local.markert.live.
> 26-Apr-2025 22:58:59.179 update: info: client @0x7feaa3e2c168
> 192.168.3.1#45014/key dhcp-vmhomeserver: updating zone
> '168.192.in-addr.arpa/IN': adding an RR at '3.3.168.192.in-addr.arpa' DHCID
> AAABK7khAndBJIqWUDuZaDDCuD7KTY8/4Jhb67R1a9+qSj8=
> 26-Apr-2025 22:59:02.891 notify: info: zone 168.192.in-addr.arpa/IN: sending
> notifies (serial 41)
>
>
> --
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
