[ddns] "update-conflict-detection" and co-existing DHCPv4/v6 servers
Nicolas C.
dhcp at nryc.fr
Thu Mar 22 07:52:10 UTC 2012
Le 21/03/2012 21:11, Eustace, Glen a écrit :
>> The problem is the follow : when "update-conflict-detection" is
>> disabled, a client can indirectly update and even delete A records
>> by booting on the network with the same name of a server for
>> example.
>
> In our case we only allow the DHCP server to do DDNS so the risk is
> somewhat contained.
That's why I said "indirectly" : only the DHCP server can do DDNS but
clients are providing their own names to the DHCP. For now, nothing
prevents a linux box to ask for a hostname that will be the same as our
Active Directory PDC!
>> Is there a possibility to run DHCPv4 an DHCPv6 simultaneously AND
>> verifying the TXT records?
>
> This is now a big issue for us. The whole TXT way of controlling
> access to the resources now seems fundamentally broken if one is
> trying to do IPv4 and IPv6 updates as the hash is different in both
> cases.
>
> Please can someone say that they have this working !!
There is one method where you can make the DHCPv4 register EUI-64
address by using an external script :
http://www.gelato.unsw.edu.au/IA64wiki/IPv6DDNS
I'm not 100% sure this will work with the "update-conflict-detection"
activated : when a lease expires, DHCPv4 will find its A/PTR/TXT record
but also a AAAA record it didn't add. I hope it will accept to delete
its A/PTR/TXT and leave the AAAA that will be deleted by the script
(which will also delete the PTR record for the IPv6 address).
If anyone has feedback on this method, I'm interested.
Regards,
Nicolas
More information about the dhcp-users
mailing list