It seems like it would be a big headache to do this via dhclient for new Puppet hosts, unless you want to set up a means of distributing a default dhclient.conf to all new hosts...
I've centralized all DDNS updates on the "provisioning server," which runs Puppet and the Cobbler services (DHCP, TFTP, NFS/HTTP repository mirroring). If all you want to do is get your DHCP server to send DDNS updates to your nameserver, that's an implementation-specific question. ISC DHCPD supports secure DDNS updates, but I'm saddled with AD primaries and I immediately got a twitchy feeling at the idea of integrating my open, standards-based DHCP server with my "open," "standards-based" Microsoft AD nameserver. My solution was to allow insecure updates to some private zone files from only one IP - the DHCP server. It's not ideal, but somehow I don't think setting up secure DNS updates would be as simple as it is with bind... On the DHCP server, I added these lines to the global section of the dhcpd.conf file (actually the config template, since cobbler auto-generates a new one every time I run "cobbler sync" ): # works with AD ddns-update-style interim; # fancy default hostname generator, prefers client-supplied hostname, then configured dhcpd.conf hostname, then finally defaults to "dhcp-AAA-BBB-CCC-DDD") ddns-hostname = pick(option fqdn.hostname, option host-name, concat ( "dhcp-",binary-to-ascii(10,8, "-", leased-address)) ); # domain name to use for ddns. ddns-domainname "whatever.local"; # this actually turns on ddns updates. ddns-updates on; # let host-supplied hostnames through. windows clients LOVE this. use-host-decl-names on; # send nsupdates even on static DHCP leases. update-static-leases on; # don't let clients update their own address records. deny client-updates; # don't allow duplicate A / PTR records. deny duplicates; [-- stop copying here. --] This is pretty much the config I use, and it works for me. On Thu, Jul 15, 2010 at 6:53 AM, Harihara Vinayakaram <[email protected]> wrote: > Hi Wagner > Could you elaborate a bit more please. The problem for me is that > only secure updates work for the DDNS . I have got it working by doing > an update of the dhclient.conf, dhclient-exit-hooks as well as the > keys as part of the preseed late_command . But it looks more of a hack > to me and I am looking at a easier way to do this. > > Doing from puppet seems a nice thing to do but my puppet clients > cannot be signed since the reverse DNS is not working until the > nsupdate is done . I am using auto sign . > > would love to get more details about your setup > > Thanks > Regards > Hari > > On Jul 14, 8:41 pm, Steven Wagner <[email protected]> wrote: >> ISC dhcpd supports secure DDNS updates. It will send an update as >> it's handing out an IP address. For this to work, you do need to >> figure out a way to determine the DDNS hostname. You can trust the >> hostname passed by the client, and/or you can override it with one you >> generate yourself. >> >> The way I'm handling DDNS is: >> >> * Generic forward/reverse rules in dhcpd.conf for everybody. >> * Specifically-named host entries get added/sync'd to dhcpd.conf >> through Cobbler. >> * An additional layer of A/PTR and CNAME records is handled through a >> Puppet class. >> >> The first two points are pretty well-documented through Google. The >> last seemed like a neat way of dealing with vhosts and Puppet nodes in >> general, and was kind of my test class for storeconfigs. DDNS update >> objects are exported on the Puppet clients (as part of an Apache vhost >> declaration, for example) and collected on the server that runs >> Cobbler and DHCP (which is authorized to send DDNS updates to the >> domains we're working with). >> >> It works pretty well! >> >> On Jul 14, 2010, at 9:15 AM, Harihara Vinayakaram wrote:> Hi >> > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one >> > server . I have managed to PXE boot Ubuntu 10.04 clients and setup >> > puppet clients . The ultimate goal is to run Hadoop on the nodes. I >> > have some observations on the process and I am wondering if there is >> > any easier way to do . I am running this on 50 physical nodes. >> >> > 1. Puppet clients work only if the DNS (both forward and revese >> > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in >> > the only way . This needs a dhclient-exit-hook per machine and also a >> > send fqdn.fqdn from each machine's dhclient.conf . >> >> > To solve this my preseed.cfg contains a late-command which >> > transfers a script to the client machine which does a series of wget >> > and some sed manipulations . Looking from the outside it does looks a >> > bit complicated and I see a maintenance proble Is there a easier way >> > to do this ? >> >> > Regards >> > Hari >> >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Puppet Users" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected] >> > . >> > For more options, visit this group >> > athttp://groups.google.com/group/puppet-users?hl=en >> > . > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
