Re: [Kea-users] kea not updating bind9
On 9/22/25 17:49, Charles Curley wrote:
I have a new installation of Debian 13 (trixie), and I am bringing up
kea (2.6.3-1) and bind9 (1:9.20.11-4). These are the versions packaged
with Debian 13.
I believe kea is handing out IPv4 addresses successfully. They show up
in the two leases files at /var/lib/kea/kea-leases4.csv*.
I have bind9 working. What I don't have working is kea updating
bind9. I get stanzas like the following:
--
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN DHCP_DDNS_NO_MATCH No DNS
servers match FQDN perigrine.localdomain.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR
Request ID
000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the
configured list of forward DDNS domains does not contain a match for: Type: 1
(CHG_REMOVE)
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID:
[000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode:
check-with-dhcid
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: The request has been discarded.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: WARN DHCP_DDNS_NO_MATCH No DNS
servers match FQDN perigrine.localdomain.
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: ERROR DHCP_DDNS_NO_FWD_MATCH_ERROR
Request ID
000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70: the
configured list of forward DDNS domains does not contain a match for: Type: 1
(CHG_REMOVE)
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Forward Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Reverse Change: yes
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: FQDN: [perigrine.localdomain.]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: IP Address: [192.168.100.47]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: DHCID:
[000101DF371CED11EB6079AD67B29A945C943D2740259076198B28C32577D28B999B70]
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Expires On: 20250922183519
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Lease Length: 1200
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: Conflict Resolution Mode:
check-with-dhcid
Sep 22 13:15:21 issola kea-dhcp-ddns[38297]: The request has been discarded.
--
Meanwhile bind9 is silent.
Partial bind9:
--
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "";
};
key "tsig-key" {
algorithm hmac-sha256;
secret "";
};
…
zone "localdomain" IN {
type master;
file "/var/cache/bind/sites/localdomain/forward.zone";
allow-transfer { 127.0.0.1; 192.168.100.6; 192.168.100.16;};
# allow-update { key "rndc_key"; };
allow-update { key "tsig-key"; };
zone-statistics yes;
notify no;
# also-notify { };
};
--
Partial kea-dhcp-ddns.conf
--
"DhcpDdns":
{
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "kea-ddns-ctrl-socket"
},
"tsig-keys": [
{ "name": "tsig-key",
"algorithm": "hmac-sha256",
"secret": "Lh4eU13Kay9ZR4Wjf5r7+L5Bx11PWWlpkjyHqEUCLQE=" }
],
"forward-ddns" : {
"ddns-domains" : [
{
"name": "localdomain",
"key-name": "tsig-key",
"dns-servers": [
{ "ip-address": "192.168.100.12" }
]
}
]
},
"reverse-ddns" : {
"ddns-domains" : [
{
"name": "100.168.192.in-addr.arpa.",
"key-name": "tsig-key",
"dns-servers": [
{ "ip-address": "192.168.100.12" }
]
}
]
},
--
Kea does not use DNS-aware name comparisons, but simple case-insensitive
string comparisons, when attempting to locate a matching domain in your
configuration for a DDNS update request. FQDNs in update requests will
always end with a trailing period, but your domain name in your DDNS
config does not, which is what's causing the error.
Note that while you redacted your TSIG key from your BIND config before
posting, you did not do the same for your DDNS config. Since you're
using RFC 1918 IP addresses, this may not be a
Re: [Kea-users] kea not updating bind9
Hi Charles,
While testing, you can enable update-on-renew (see here:
https://kea.readthedocs.io/en/kea-3.0.1/arm/dhcp4-srv.html#ddns-for-dhcpv4)
to make Kea more talkative with the DNS server.
Thank you,
Darren Ankney
On Tue, Sep 23, 2025 at 2:39 PM Charles Curley
wrote:
>
> On Tue, 23 Sep 2025 02:05:40 -0500
> Doug Freed wrote:
>
> > Kea does not use DNS-aware name comparisons, but simple
> > case-insensitive string comparisons, when attempting to locate a
> > matching domain in your configuration for a DDNS update request.
> > FQDNs in update requests will always end with a trailing period, but
> > your domain name in your DDNS config does not, which is what's
> > causing the error.
>
> Ah, thank you.
>
> So this:
>
> "forward-ddns" : {
> "ddns-domains" : [
> {
>"name": "localdomain",
>
> should be this:
>
> "forward-ddns" : {
> "ddns-domains" : [
> {
>"name": "localdomain.", <---
>
> and I (now) see the . after the arpa in the reverse domain. I applied
> that, and will await the next request.
>
> I did get a "successful" lease removal request. I say successful in
> quotes because the entry wasn't actually in DNS, so named didn't have
> anything to do. After several hours, there was nothing else, so I
> shut down all three servers, moved aside the two kea-leases4.csv files,
> and restarted all three servers. I got two successful adds. So I think
> that solved that. Thank you.
>
>
> >
> > Note that while you redacted your TSIG key from your BIND config
> > before posting, you did not do the same for your DDNS config. Since
> > you're using RFC 1918 IP addresses, this may not be a real concern,
> > but I thought I'd point it out just in case.
>
> Thank you for pointing that out. As you say, probably not an issue.
> Still, I created a new key with tsig-keygen. Easy enough. Paranoids
> live longer. :-)
>
> >
> > -Doug
>
>
> --
> Does anybody read signatures any more?
>
> https://charlescurley.com
> https://charlescurley.com/blog/
> --
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> [email protected]
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]
Re: [Kea-users] kea not updating bind9
On Tue, 23 Sep 2025 02:05:40 -0500
Doug Freed wrote:
> Kea does not use DNS-aware name comparisons, but simple
> case-insensitive string comparisons, when attempting to locate a
> matching domain in your configuration for a DDNS update request.
> FQDNs in update requests will always end with a trailing period, but
> your domain name in your DDNS config does not, which is what's
> causing the error.
Ah, thank you.
So this:
"forward-ddns" : {
"ddns-domains" : [
{
"name": "localdomain",
should be this:
"forward-ddns" : {
"ddns-domains" : [
{
"name": "localdomain.", <---
and I (now) see the . after the arpa in the reverse domain. I applied
that, and will await the next request.
I did get a "successful" lease removal request. I say successful in
quotes because the entry wasn't actually in DNS, so named didn't have
anything to do. After several hours, there was nothing else, so I
shut down all three servers, moved aside the two kea-leases4.csv files,
and restarted all three servers. I got two successful adds. So I think
that solved that. Thank you.
>
> Note that while you redacted your TSIG key from your BIND config
> before posting, you did not do the same for your DDNS config. Since
> you're using RFC 1918 IP addresses, this may not be a real concern,
> but I thought I'd point it out just in case.
Thank you for pointing that out. As you say, probably not an issue.
Still, I created a new key with tsig-keygen. Easy enough. Paranoids
live longer. :-)
>
> -Doug
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]
