Re: [Kea-users] kea not updating bind9

Sat, 18 Oct 2025 01:57:48 -0700 

On 9/22/25 17:49, Charles Curley wrote:

I have a new installation of Debian 13 (trixie), and I am bringing up
kea (2.6.3-1) and bind9 (1:9.20.11-4). These are the versions packaged
with Debian 13.

I believe kea is handing out IPv4 addresses successfully. They show up
in the two leases files at /var/lib/kea/kea-leases4.csv*.

I have bind9 working. What I don't have working is kea updating
bind9. I get stanzas like the following:

--------------------------------------------------
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN  DHCP_DDNS_NO_MATCH No DNS 
servers match FQDN perigrine.localdomain.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR 
Request ID 
000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the 
configured list of forward DDNS domains does not contain a match for: Type: 1 
(CHG_REMOVE)
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID: 
[000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode: 
check-with-dhcid
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]:   The request has been discarded.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN  DHCP_DDNS_NO_MATCH No DNS 
servers match FQDN perigrine.localdomain.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR 
Request ID 
000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the 
configured list of forward DDNS domains does not contain a match for: Type: 1 
(CHG_REMOVE)
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID: 
[000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode: 
check-with-dhcid
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]:   The request has been discarded.
--------------------------------------------------

Meanwhile bind9 is silent.


Partial bind9:
--------------------------------------------------
controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
     algorithm hmac-md5;
        secret "<redacted>";
};

key "tsig-key" {
         algorithm hmac-sha256;
         secret "<redacted>";
};

…

zone "localdomain" IN {
        type master;
        file "/var/cache/bind/sites/localdomain/forward.zone";
        allow-transfer { 127.0.0.1; 192.168.100.6; 192.168.100.16;};
        # allow-update { key "rndc_key"; };
         allow-update { key "tsig-key"; };
         zone-statistics yes;
        notify no;
        # also-notify { };
};
--------------------------------------------------

Partial kea-dhcp-ddns.conf
--------------------------------------------------
"DhcpDdns":
{
   "ip-address": "127.0.0.1",
   "port": 53001,
   "control-socket": {
       "socket-type": "unix",
       "socket-name": "kea-ddns-ctrl-socket"
   },
   "tsig-keys": [
     {   "name": "tsig-key",
        "algorithm": "hmac-sha256",
        "secret": "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=" }
         ],
   "forward-ddns" : {
       "ddns-domains" : [
           {
                "name": "localdomain",
                "key-name": "tsig-key",
                "dns-servers": [
                    { "ip-address": "192.168.100.12" }
                ]
           }
       ]
   },
   "reverse-ddns" : {
       "ddns-domains" : [
           {
                "name": "100.168.192.in-addr.arpa.",
                "key-name": "tsig-key",
                "dns-servers": [
                    { "ip-address": "192.168.100.12" }
                ]
           }
       ]
   },
--------------------------------------------------
Kea does not use DNS-aware name comparisons, but simple case-insensitive string comparisons, when attempting to locate a matching domain in your configuration for a DDNS update request. FQDNs in update requests will always end with a trailing period, but your domain name in your DDNS config does not, which is what's causing the error.
Note that while you redacted your TSIG key from your BIND config before posting, you did not do the same for your DDNS config. Since you're using RFC 1918 IP addresses, this may not be a real concern, but I thought I'd point it out just in case. 

-Doug
--
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]

Reply via email to