Using isc dhcpd to only update reverse DNS zone for selected hosts

Sat Nov 5 21:09:29 UTC 2011

Hi list,

I have a isc dhcpd setup serving docsis cable modems with build-in 
router function. The routers are assigned dynamic public IPs from a 
pool. I use ISC to create nice forward and reverse DDNS entries for 
routers, such as:

rg<mac>.cm.example.com A 123.x.x.8
and
8.x.x.123 PTR rg<mac>.cm.example.com

This all works fine, but I would like to expand my setup a bit, so I can 
have selected routers set up with just reverse DNS entries pointing to 
external domains. The scenario is my customers are asking if they can 
have a custom reverse DNS entry for their router, and they will 
themselves do the forward dns setup in their own DNS. So in essence, 
they just want me to do:

8.x.x.123 PTR <whatever.privatedomain.com>

Below is the parts of my config I think is essential. To begin with I 
changed the dynamic ddns-hostname i generate from the router mac, so it 
grabs the hostname from the host section, if it exists:

ddns-hostname = pick-first-value (ddns-hostname, concat("rg", macadr));

I then added specific ddns-hostname and ddns-domainname within the host 
config for a test device:

host whatever {
     hardware ethernet 11:22:33:44:55:66;
     fixed-address 123.x.x.8;
     ddns-hostname "whatever";
     ddns-domainname "privatedomain.com";
}

Its trying to update but times out on the forward record for 
whatever.privatedomain.com, which makes sense since I have no key for 
the domain. If i set ddns-domainname to my own "cm.example.com", then it 
will correctly add whatever.cm.example.com, so it is matching the host 
config correctly. I then tried adding "do-forward-updates off;" for the 
host, but it seems to turn off reverse DNS updates aswell. Which seems 
to match the manual page for dhcpd.conf:

"If this statement is used to disable forward updates,  the  DHCP  
server  will never attempt to update the client's A record, and will 
only ever attempt to update the client's PTR record if the client 
supplies an FQDN that should be placed in the PTR record using the fqdn 
option."

However, my modems wont add a FQDN option .. and evne if they did, I 
would rather not trust any option coming from a device, I would like it 
to use the settings from the host configuration. I tried adding 
something like option fqdn.fqdn "whatever.privatedomain.com"; to the 
host config but could not get it to work.

I hope I am missing some simple option :) I guess I could fool it by 
creating a dummy dns-server with forward-zones matching my customers 
private domains, but it seems like quite an ugly hack ..

Here's what I think is important from my current config:

# Global DDNS settings
ddns-update-style interim;
ignore client-updates;
ddns-updates off;
update-static-leases on;
update-conflict-detection off;
use-host-decl-names on;
ddns-domainname "cm.example.com";

# DNS update key
key dhcp-key {
         algorithm hmac-md5;
         secret "<key>";
}

# DNS zones
zone cm.example.com.       { primary <ip>; key dhcp-key; }
zone x.x.123.in-addr.arpa. { primary <ip>; key dhcp-key; }

# Parse client mac-adresse with 0 as prefix
set macadr = concat(
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 1, 1))),2),
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 2, 1))),2),
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 3, 1))),2),
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 4, 1))),2),
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 5, 1))),2),
         suffix (concat ("0", binary-to-ascii (16, 8, "", 
substring(hardware, 6, 1))),2)
);

# Shared networks behind docsis CMTS
shared-network klient-lan {
         # Match docsis routers
         class "docsis-rg" {
                 match if substring(option vendor-class-identifier,0,6) 
= "RG 1.0";
         }

         # Ip-net for docsis routers
         subnet 123.x.x.0 netmask 255.255.255.0 {
                 authoritative;
                 option subnet-mask 255.255.255.0;
                 option broadcast-address 123.x.x.255;
                 option routers 123.x.x.1;
                 ddns-updates on;
                 ddns-hostname = pick-first-value (ddns-hostname, 
concat("rg", macadr));

                 pool {
                         failover peer "cm";
                         allow members of "docsis-rg";
                         range 123.x.x.50 123.x.x.254;
                 }
         }
}

host whatever {
     hardware ethernet 11:22:33:44:55:66;
     fixed-address 123.x.x.8;
     ddns-hostname "whatever";
     ddns-domainname "privatedomain.com";
     do-forward-updates off;
}

Regards,

Kristian