DHCP+BIND+DDNS, reverse creation timeout
Gregory Sloop
gregs at sloop.net
Wed Jul 24 16:41:09 UTC 2013
Continuing top posting.
So, just to start fresh - I blew away all the BIND data - the journal
files etc. Same with DHCPd. [everything in /var/lib/bind and
/var/lib/dhcp]
Recreated the named.conf and named.conf.local
Recreated the zone files.
Recreated the dhcpd.conf
I moved the key [as suggested] to above the "include" statements in the named.conf
---
Started just BIND.
Then did some tests, working with reverses.
---
nsupdate -k /etc/bind/rndc.key
server 10.1.0.5
zone 0.1.10.in-addr.arpa
update add 4.0.1.10.in-addr.arpa 60 PTR blah2.somedom.local.
send
host 10.1.0.4
> "4.0.1.10.in-addr.arpa domain name pointer blah2.somedom.local."
nsupdate -k /etc/bind/rndc.key
server 10.1.0.5
zone 0.1.10.in-addr.arpa
update delete 4.0.1.10.in-addr.arpa
send
root at dns-dhcp-01:/etc/dhcp# host 10.8.20.4
Host 4.20.8.10.in-addr.arpa. not found: 3(NXDOMAIN)
---
So, I can create/remove/update the reverse zone fine.
Then I start dhcpd again and grab a lease. Same issue. DHCPd reports I
can create the forward fine, but the reverse times out.
The key in rndc.key, as well as in DHCPd.conf and named.conf are all
identical.
---
Things I've tried since my last post:
-Changing the quoting of the key in named.conf
-Changing the [key "rndc-key"] to [key rndc-key] in dhcpd.conf
-Changing to a 128bit key instead of 512. [HMAC/MD5 in both cases]
-Verify that the key in the file "rndc.key" as well as the keys in
named.conf and dhcpd.conf are all truly the same. They are.
None of these seem to resolve the issue.
---
Can someone give some pointers? I'm totally baffled!
I'm glad to give any needed information - but nothing has really
changed in the conf files given below.
Thanks!
-Greg
---
GS> Hi Greg
GS> It's not something like moving the rndc-key definition so that it is
GS> before you include named.conf.local?
GS> Otherwise there are example configs in the dhcpd.conf man page, scroll
GS> down to DYNAMIC DNS section. The only difference I can see is that the key
GS> does not have quotes around the value. Though if the forward map is
GS> working then I don't think this would be the problem.
GS> Can you update the zone using nsupdate and the key? This might give you a
GS> better error message.
GS> Another test is to temporarily configure bind to allow update from the
GS> dhcp server's ip address. This will eliminate the key as a problem. Bind
GS> seems to silently ignore updates which use the wrong key, so double check
GS> the key is the same in named.conf and dhcpd.conf.
GS> regards,
GS> -glenn
GS> named.conf
GS> ---
GS> include "/etc/bind/named.conf.options";
GS> include "/etc/bind/named.conf.local";
GS> include "/etc/bind/named.conf.default-zones";
GS> #512 bit key
GS> key "rndc-key" {
GS> On Wed, July 24, 2013 3:39 pm, Greg Sloop <gregs at sloop.net> wrote:
>> I'm about to go insane. It's probably an obvious problem, but for the life
>> of me, I can't find it.
>>
>> I'm trying to setup Bind9 + DHCPd + DDNS (forward and reverses)
>> I've got DHCP working for multiple subnets etc, and doing BIND DDNS
>> updates, at least for forward records.
>>
>> I get the following in the logs:
>> ---
>> Jul 23 20:17:17 dns-dhcp-01 dhcpd: Added new forward map from
>> ABCD-R61.somedom.local to 10.1.0.221
>> Jul 23 20:17:18 dns-dhcp-01 dhcpd: unable to add reverse map from
>> 221.0.1.10.in-addr.arpa. to ABCD-R61.somedom.local: timed out
>> ---
>>
>> Turning up the verbosity level in BIND to debug doesn't produce anything
>> useful I can find. The DHCP logs don't shed any more light on things
>> either.
>> [Perhaps it does produce useful stuff but, if so, I can not find it.]
>>
>> Here's the environment.
>> Ubuntu 12.04 [Running in a VM, with the eth interface bridged - though it
>> shouldn't matter, it's VirtualBox]
>> DHCPd 4.1-R4
>> BIND 9.8.1-P1
>> Both standard Ubuntu packages, installed from the Ubuntu repositories.
>>
>> Here are my configs:
>> ---
>> /etc/bind/named.conf.local
>> ---
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> //include "/etc/bind/zones.rfc1918";
>>
>> acl "local-nets" {
>> 10.1.0.0/22;
>> };
>>
>> acl "dns-dhcp-servers" {
>> 10.1.0.5; 10.1.0.6;
>> };
>>
>> zone "somedom.local" {
>> type master;
>> file "/var/lib/bind/somedom.local.hosts";
>> // update-policy { grant rndc-key zonesub ANY; };
>> allow-update { key rndc-key; };
>> };
>>
>> zone "0.1.10.in-addr.arpa" {
>> type master;
>> file "/var/lib/bind/10.1.0.rev";
>> //update-policy { grant rndc-key zonesub ANY; };
>> allow-update { key rndc-key; };
>> allow-query { any; };
>> };
>>
>> zone "1.1.10.in-addr.arpa" {
>> type master;
>> file "/var/lib/bind/10.1.1.rev";
>> //update-policy { grant rndc-key zonesub ANY; };
>> allow-update { key rndc-key; };
>> };
>>
>> zone "2.1.10.in-addr.arpa" {
>> type master;
>> file "/var/lib/bind/10.1.2.rev";
>> //update-policy { grant rndc-key zonesub ANY; };
>> allow-update { key rndc-key; };
>> };
>>
>> logging {
>> channel default_file {
>> file "/var/log/named/default.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel general_file {
>> file "/var/log/named/general.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel database_file {
>> file "/var/log/named/database.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel security_file {
>> file "/var/log/named/security.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel config_file {
>> file "/var/log/named/config.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel resolver_file {
>> file "/var/log/named/resolver.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel xfer-in_file {
>> file "/var/log/named/xfer-in.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel xfer-out_file {
>> file "/var/log/named/xfer-out.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel notify_file {
>> file "/var/log/named/notify.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel client_file {
>> file "/var/log/named/client.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel unmatched_file {
>> file "/var/log/named/unmatched.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel queries_file {
>> file "/var/log/named/queries.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel network_file {
>> file "/var/log/named/network.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel update_file {
>> file "/var/log/named/update.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel dispatch_file {
>> file "/var/log/named/dispatch.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel dnssec_file {
>> file "/var/log/named/dnssec.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>> channel lame-servers_file {
>> file "/var/log/named/lame-servers.log" versions 3 size 5m;
>> //severity dynamic;
>> severity debug 3;
>> print-time yes;
>> };
>>
>> category default { default_file; };
>> category general { general_file; };
>> category database { database_file; };
>> category security { security_file; };
>> category config { config_file; };
>> category resolver { resolver_file; };
>> category xfer-in { xfer-in_file; };
>> category xfer-out { xfer-out_file; };
>> category notify { notify_file; };
>> category client { client_file; };
>> category unmatched { unmatched_file; };
>> category queries { queries_file; };
>> category network { network_file; };
>> category update { update_file; };
>> category dispatch { dispatch_file; };
>> category dnssec { dnssec_file; };
>> category lame-servers { lame-servers_file; };
>> };
>>
>> ---
>> The zone file for the problem zone above. [There are three zones, but I'm
>> having the problem in this zone I haven't tested the others, but if I get
>> this zone working, I'm sure the others will work too. So I'll just give
>> this one zone.]
>> *** /var/lib/bind/10.1.0.rev
>> ---
>> ;#/var/lib/bind/10.1.0.rev
>> $ttl 38400
>> 0.1.10.in-addr.arpa. IN SOA dns-dhcp-01. root.somedom.com. (
>> 2013072301 ;serial
>> 10800 ;slave-refresh, 3h
>> 3600 ;slave-retry, update, 1h
>> 604800 ;slave-expire, 7d
>> 120 ;minimum [negative response TTL], 2m
>> )
>> 0.1.10.in-addr.arpa. IN NS dns-dhcp-01.somedom.local.
>> 0.1.10.in-addr.arpa. IN NS dns-dhcp-02.somedom.local.
>>
>> ---
>>
>> *** The DHCPd.conf file
>> ---
>> authoritative;
>>
>> key "rndc-key" {
>> algorithm hmac-md5;
>> secret "SOMESECRET";
>> };
>>
>> ddns-update-style interim;
>> ddns-domainname "somedom.local";
>>
>> log-facility local7;
>> log debug;
>>
>> option time-offset -18000; # Pacific Standard Time
>> one-lease-per-client off;
>>
>> use-host-decl-names on;
>> option ntp-servers time.somedom.local;
>> option time-servers time.somedom.local;
>> option domain-name-servers 10.1.0.5, 10.1.0.6;
>> option domain-name "somedom.local";
>> option netbios-name-servers 10.1.0.17;
>> option routers 10.1.0.190;
>>
>> #1h lease
>> default-lease-time 3600;
>> max-lease-time 3600;
>> option ip-forwarding off;
>>
>> zone somedom.local. {
>> primary 10.1.0.5;
>> key rndc-key;
>> }
>>
>> zone 0.1.10.in-addr.arpa. {
>> primary 10.1.0.5;
>> key rndc-key;
>> }
>>
>> zone 1.1.10.in-addr.arpa. {
>> primary 10.1.0.5;
>> key rndc-key;
>> }
>>
>> zone 2.1.10.in-addr.arpa. {
>> primary 10.1.0.5;
>> key rndc-key;
>> }
>>
>> # Subnet for internal hosts
>> subnet 10.1.0.0 netmask 255.255.255.0 {
>> option routers 10.1.0.190;
>> option subnet-mask 255.255.255.0;
>>
>> # block unknowns for .60 - .113
>> pool {
>> range 10.1.0.60 10.1.0.113;
>> allow unknown-clients;
>> }
>> # block unknowns for 10.1.0.114 - .115
>> pool {
>> range 10.1.0.114 10.1.0.114;
>> deny unknown-clients;
>> }
>> # allow unknowns for 10.1.0.115 - .153
>> pool {
>> range 10.1.0.115 10.1.0.153;
>> allow unknown-clients;
>> }
>> # block unknowns for 10.1.0.154 - .194
>> pool {
>> range 10.1.0.154 10.1.0.194;
>> deny unknown-clients;
>> }
>> # allow unknowns for 10.1.0.195 - .222
>> pool {
>> range 10.1.0.195 10.1.0.222;
>> allow unknown-clients;
>> }
>> # block unknowns for 10.1.0.223 - .254
>> pool {
>> range 10.1.0.223 10.1.0.254;
>> deny unknown-clients;
>> }
>> }
>>
>> subnet 10.1.1.0 netmask 255.255.255.0 {
>> option routers 10.1.1.1;
>> option subnet-mask 255.255.255.0;
>> pool {
>> #failover peer "dhcp-failover";
>> max-lease-time 14400;
>> range 10.1.1.21 10.1.1.240;
>> allow unknown-clients;
>> }
>> }
>>
>> subnet 10.1.2.0 netmask 255.255.255.0 {
>> option routers 10.1.2.1;
>> option subnet-mask 255.255.255.0;
>> pool {
>> #failover peer "dhcp-failover";
>> max-lease-time 14400;
>> range 10.1.2.50 10.1.2.250;
>> allow unknown-clients;
>> }
>> }
>>
>>
>> ---
>> named.conf
>> ---
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> #512 bit key
>> key "rndc-key" {
>> algorithm hmac-md5;
>> secret "SOMESECRET";
>> };
>>
>> controls {
>> inet 127.0.0.1 port 953
>> allow { 127.0.0.1; } keys { "rndc-key"; };
>>
>> inet 10.1.0.5 port 953
>> allow { 127.0.0.1; } keys { "rndc-key"; };
>> };
>> ---
>>
>> To keep the clutter down, I won't give any more config files:
>> But syntax checks of both the BIND and DHCPd config files is clean, and
>> both BIND and DHCPd appear to load and run fine.
>> The only problem I have is the failed [timed out] problem for creating the
>> PTR record for the reverse.
>>
>> I've spent hours on this, looking the docs, examples, google-foo, and
>> more.
>> I'm quite sure it's something stupid, but as I said above, I can't find it
>> and I'm desperate!
>>
>> TIA
>> -Greg
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
GS> _______________________________________________
GS> dhcp-users mailing list
GS> dhcp-users at lists.isc.org
GS> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list