DDNS Failed
SilentRage
bind-users at dollardns.net
Thu Nov 11 17:58:58 UTC 2004
Try adding these lines to your options {} block. If you're not using BIND 9.3.0 then ignore this message.
check-names master ignore;
check-names slave ignore;
check-names response ignore;
Dave
--- Reply to: Norman Zhang <norman.zhang at rd.arkonnetworks.com> ---
>
> Barry Finkel wrote:
> >>I'm trying allow DDNS for a W2K3 machine to register AD.
> >>
> >>But I'm keep getting
> >>
> >>0x0000232A RCODE_SERVER_FAILURE
> >>
> >>I tried changing
> >>
> >>allow-update { 192.168.22.0/24; };
> >>
> >>but still fails. But all my Windows clients can do DDNS. DHCP is
> also on
> >>the bind 9.2.3 box. May I ask what some tips please?
> >
> >>I've attached both my dhcpd.conf and named.conf below. My W2K3 box
> has
> >>an IP 192.168.22.21. Any advice is greatly appreciated.
> >>
> >>
> >># Server settings
> >>authoritative;
> >>ddns-update-style ad-hoc;
> >>
> >># Global settings
> >>option domain-name "hq.arkonnetworks.com";
> >>default-lease-time 21600;
> >>max-lease-time 43200;
> >>ddns-updates on;
> >>ddns-domainname "hq.arkonnetworks.com";
> >>ddns-rev-domainname "in-addr.arpa";
> >>
> >>key rndc-key {
> >> algorithm hmac-md5;
> >> secret "xxxx";
> >>}
> >>
> >>zone hq.arkonnetworks.com. {
> >> primary 192.168.11.3;
> >> key rndc-key;
> >>}
> >>
> >># LAN1 IP Range
> >>subnet 192.168.11.0 netmask 255.255.255.0 {
> >> option domain-name-servers 192.168.11.3, 192.168.11.15,
> >>207.34.136.1,
> >>204.174.64.1;
> >> option ntp-servers 192.168.11.3;
> >> option routers 192.168.11.1;
> >> range 192.168.11.41 192.168.11.254;
> >> zone 11.168.192.in-addr.arpa. {
> >> primary 192.168.11.3;
> >> key rndc-key;
> >> }
> >>}
> >>
> >># LAN2 IP Range
> >>subnet 192.168.22.0 netmask 255.255.255.0 {
> >> option domain-name-servers 192.168.22.3, 192.168.22.15,
> >>207.34.136.1,
> >>204.174.64.1;
> >> option ntp-servers 192.168.22.3;
> >> option routers 192.168.22.1;
> >> range 192.168.22.41 192.168.22.254;
> >> zone 22.168.192.in-addr.arpa. {
> >> primary 192.168.22.3;
> >> key rndc-key;
> >> }
> >>}
> >>
> >>// generated by named-bootconf.pl
> >>
> >>options {
> >> directory "/var/named";
> >> forwarders { 207.34.136.1; 204.174.64.1; 204.174.65.1; };
> >> pid-file "/var/run/named/named.pid";
> >> /*
> >> * If there is a firewall between you and nameservers you want
> >> * to talk to, you might need to uncomment the query-source
> >> * directive below. Previous versions of BIND always asked
> >> * questions using port 53, but BIND 8.1 uses an unprivileged
> >> * port by default.
> >> */
> >> // query-source address * port 53;
> >>};
> >>
> >>
> >>// secret must be the same as in /etc/rndc.conf
> >>key "rndc-key" {
> >> algorithm hmac-md5;
> >> secret "xxxx";
> >>};
> >>
> >>controls {
> >> inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
> >>};
> >>
> >>//
> >>// a caching only nameserver config
> >>//
> >>zone "." {
> >> type hint;
> >> file "db.cache";
> >>};
> >>
> >>zone "0.0.127.in-addr.arpa" {
> >> type master;
> >> file "db.127.0.0";
> >>};
> >>
> >>zone "hq.arkonnetworks.com" {
> >> type master;
> >> file "db.hq.arkonnetworks.com";
> >> allow-update { key rndc-key; };
> >>};
> >>
> >>zone "arkonnetworks.com" {
> >> type slave;
> >> file "db.arkonnetworks.com";
> >> masters { 207.34.136.1; };
> >>};
> >>
> >>zone "0-31.136.34.207.in-addr.arpa" {
> >> type slave;
> >> file "db.207.34.136.0";
> >> masters { 207.34.136.1; };
> >>};
> >>
> >>zone "22.168.192.in-addr.arpa" {
> >> type master;
> >> file "db.192.168.22.0";
> >> allow-update { key rndc-key; };
> >>};
> >>
> >>zone "11.168.192.in-addr.arpa" {
> >> type master;
> >> file "db.192.168.11.0";
> >> allow-update { key rndc-key; };
> >>};
> >>
> >>zone "_msdcs.hq.arkonnetworks.com" {
> >> type master;
> >> file "db._msdcs.hq.arkonnetworks.com";
> >> allow-update { 192.168.22.0/24; };
> >>};
> >>
> >>zone "_sites.hq.arkonnetworks.com" {
> >> type master;
> >> file "db._sites.hq.arkonnetworks.com";
> >> allow-update { 192.168.22.0/24; };
> >>};
> >>
> >>zone "_tcp.hq.arkonnetworks.com" {
> >> type master;
> >> file "db._tcp.hq.arkonnetworks.com";
> >> allow-update { 192.168.22.0/24; };
> >>};
> >>
> >>zone "_udp.hq.arkonnetworks.com" {
> >> type master;
> >> file "db._udp.hq.arkonnetworks.com";
> >> allow-update { 192.168.22.0/24; };
> >>};
> >
> > The "allow update" statement requires an address-match-list, not an
> > rndc key.
>
> Thanks for your reply. The rndc key works fine. I think it has been
> discussed here before, but I can't recall why. I've just added _msdcs,
>
> _sites, _tcp, _udp zones to the already running named.conf. I tried
> converting them to 192.168.22.0/24, but still couldn't update.
>
> > What are you trying to get AD to register? The SRV and CNAME
> records
> > in the four/six "_" zones? How have you set up these MS zones? If
> > you have used AD-integrated with secure updates, then the MS
> security
> > model is not iplemented in BIND, so the DDNS updates will fail.
> > If you are using non-secure updates, then this should work.
>
> The zone files are created and placed under /var/named/ with
> uid.gid=named.named. This is W2K3 box just got upgraded from NT is
> trying to become a DC by registering AD entries in BIND. I don't think
>
> it uses any secure updates. How do I check? I grep the log under
> /var/log/, but couldn't find the denied activity. Is there a speific
> entry that I should grep for?
>
> > If you are trying to get individual W2k/W2k+3 machines to register
> > themselves via DHCP, then I am not sure what the problem might be.
> > Are you having the DHCP server register both forwards and reverses?
> > If so, are both registrations failing? I am not a DHCP expert, and I
> > suggest finding a newsgroup for your DHCP software.
>
> My W2K3 has a static IP and it has already been entered in zone files.
> I
> would like to enable it to update the SRV and CNAME entries in the "_"
>
> zone files. DHCP so far has no problem registering PTR and A records
> for
> IPs that it gives out. Do you see any conflicts with my config
> above?
>
> Regards,
> Norman Zhang
>
>
>
>
More information about the bind-users
mailing list