Fwd: ddns-updates off; within pool doesn't work
Glenn Satchell
glenn.satchell at uniq.com.au
Wed Jun 4 11:34:38 UTC 2014
Maybe move ddns-updates on; into the subnet definition. At the moment
ddns-updates are off in the subnet, and so allow client-updates; doesn't
make sense with that not turned on? Just guessing here.
regards,
-glenn
On Wed, June 4, 2014 2:39 am, Alexei V. Schukin wrote:
> Thanks for the detailed explanations, Glenn!
> I have tested configuration from your message by dhcpd -t but the daemon
thrown me the following error:
> -----------------------------------------------------------------------------------------------
dhcpd -t -cf /etc/dhcp/dhcpd.conf
> -----------------------------------------------------------------------------------------------
Internet Systems Consortium DHCP Server 4.1.1-P1
> Copyright 2004-2010 Internet Systems Consortium.
> All rights reserved.
> For info, please visit https://www.isc.org/software/dhcp/
> WARNING: Host declarations are global. They are not limited to the
scope
> you declared them in.
> /etc/dhcp/dhcpd.conf line 76: expecting permit type.
> allow client-updates;
> ^
> /etc/dhcp/dhcpd.conf line 77: semicolon expected.
> range
> ^
> Configuration file errors encountered -- exiting
> This version of ISC DHCP is based on the release available
> on ftp.isc.org. Features have been added and other changes
> have been made to the base software release in order to make
> it work better with this distribution.
> Please report for this software via the CentOS Bugs Database:
> http://bugs.centos.org/
> exiting.
> ------------------------------------------------------------------------------------------------
Obviously, it don't like "allow client-updates" option inside pool
definition.
> After my experiments most acceptable configuration looks like this:
-----------------------------------------------------------------------------------------------
dhcpd.conf
> ------------------------------------------------------------------------------------------------
authoritative;
> ddns-update-style interim;
> ddns-updates off;
> deny unknown-clients;
> update-static-leases off;
> deny client-updates;
> ddns-domainname "example.com";
> allow booting;
> allow bootp;
> next-server 192.168.0.21;
> filename "pxelinux.0";
> option root-path "192.168.0.21:/tftpboot";
> option ntp-servers 192.168.0.1;
> one-lease-per-client on;
> option domain-name "example.com";
> subnet 192.168.0.0 netmask 255.255.255.0 {
> option routers 192.168.0.1;
> option domain-name-servers 192.168.0.1;
> option broadcast-address 192.168.0.255;
> allow client-updates;
> allow unknown-clients;
> # range for foreman
> # 192.168.0.5 192.168.0.50
> # dynamic address pool
> pool {
> ddns-updates on;
> range 192.168.0.100 192.168.0.130;
> }
> # group for static host
> group {
> ddns-updates on;
> deny client-updates;
> use-host-decl-names on;
> update-static-leases on;
> host static-host {
> hardware ethernet xx:xx:xx:xx:xx:xx;
> fixed-address 192.168.0.132;
> ddns-hostname "static-host";
> }
> ...
> }
> }
> ...
> ------------------------------------------------------------------------------------------------
It seems works fine, except "update-static-leases" option, cause
everytime
> after removing host definition from configuration files, I should clean
up
> my dns zones manually. Unfortunately, I didn't find more elegant
solution
> yet.
> --
> Best wishes,
> Alex
> 2014-05-19 19:11 GMT+04:00 Glenn Satchell <glenn.satchell at uniq.com.au>:
>> Hi Alex
>> The lease created by the omshell commands is a host statement, that is
it's a static lease. so it is not part of the pool of dynamic leases
where
>> you have turned off ddns-updates, even though the Ip address happens to be
>> in the pool's dynamic range.
>> Probably the right way to fix this is to remove that pool altogether
and
>> put the commands in the subnet, but you don't need the range statement for
>> 192.168.0.5 192.168.0.50. The host statement will inherit settings from
the subnet, but not from the pool. You could use a pool for the range
192.168.0.100 192.168.0.130 if you wanted different behaviour for those
addresses.
>> The range statement is for the dhcp server to allocate addresses
itself.
>> That function is being controlled by foreman, so you have two things
conflicting with each other.
>> By the way, no modern dhcp clients need dynamic-bootp setting for range
these days. aLl that does is emulate bootp by allocating leases that
never
>> expire, so you will eventually run out of IPs due to old systems that are
>> long gone still having anIp lease held for them.
>> Perhaps something like this. Note I haven't tried this, so there may be
syntax errors, etc, but hope this shows what I was trying to say above.
subnet 192.168.0.0 netmask 255.255.255.0 {
>> ddns-updates off;
>> ignore client-updates;
>> update-static-leases off;
>> pool {
>> range 192.168.0.100 192.168.0.130;
>> ddns-updates on;
>> allow client-updates;
>> }
>> option broadcast-address 192.168.0.255;
>> option domain-name-servers 192.168.0.1;
>> option domain-name "example.com";
>> option routers 192.168.0.1;
>> default-lease-time 86400;
>> max-lease-time 172800;
>> ...
>> }
>> regards,
>> -glenn
>> On Tue, May 20, 2014 12:45 am, Alexei V. Schukin wrote:
>> > Peter, thanks for the reply.
>> > I'm trying to make friendship Foreman + DHCP (ddns updates) + BIND.
DHCPD had configuration below, when I tested it work at last time.
=============
>> > dhcpd.conf
>> > =============
>> > authoritative;
>> > ddns-update-style interim;
>> > ddns-updates on;
>> > ddns-domainname "example.com";
>> > allow booting;
>> > allow bootp;
>> > next-server 192.168.0.21;
>> > filename "pxelinux.0";
>> > option root-path "192.168.0.21:/tftpboot";
>> > option ntp-servers 192.168.0.1;
>> > allow unknown-clients;
>> > update-static-leases on;
>> > subnet 192.168.0.0 netmask 255.255.255.0 {
>> > pool {
>> > range 192.168.0.5 192.168.0.50;
>> > deny unknown-clients;
>> > ddns-updates off;
>> > ddns-update-style none;
>> > ignore client-updates;
>> > update-static-leases off;
>> > }
>> > range dynamic-bootp 192.168.0.100 192.168.0.130;
>> > option domain-name-servers 192.168.0.1;
>> > option domain-name "example.com";
>> > option routers 192.168.0.1;
>> > option broadcast-address 192.168.0.255;
>> > allow client-updates;
>> > default-lease-time 86400;
>> > max-lease-time 172800;
>> > ...
>> > }
>> > ...
>> > -----------------
>> > This is the rude scheme of interaction between services:
>> > ​
>> > __________ _________________________________
>> > | | | |
>> > | Host 1 | | Host 2 |
>> > | | | (1) |
>> > | Foreman | --> | Foreman-Proxy ------> DHCPD |
>> > |_________| | | omshell |
>> > | (2) | |
>> > | | nsupdate |
>> > | + |
>> > | BIND |
>> > |_________________________________|
>> > 0. Creating host in Foreman...
>> > 1. The Foreman tells foreman-proxy to reserve address for a new host
>> via
>> > omshell (1)
>> > =================================
>> > /var/log/foreman-proxy/proxy.log
>> > =================================
>> > D, [2014-05-15T19:47:03.286591 #7893] DEBUG -- : Lazy loaded
>> > 192.168.0.0/255.255.255.0 records
>> > D, [2014-05-15T19:47:03.287669 #7893] DEBUG -- : Added
>> > example-04.example.com (192.168.0.25 / 00:50:56:90:72:22) to
>> > 192.168.0.0/255.255.255.0
>> > D, [2014-05-15T19:47:03.288907 #7893] DEBUG -- : omshell: executed -
>> set
>> > name = "example-04.example.com"
>> > D, [2014-05-15T19:47:03.289097 #7893] DEBUG -- : true
>> > D, [2014-05-15T19:47:03.289254 #7893] DEBUG -- : omshell: executed -
>> set
>> > ip-address = 192.168.0.25
>> > D, [2014-05-15T19:47:03.289360 #7893] DEBUG -- : true
>> > D, [2014-05-15T19:47:03.289510 #7893] DEBUG -- : omshell: executed -
>> set
>> > hardware-address = 00:50:56:90:72:22
>> > D, [2014-05-15T19:47:03.289652 #7893] DEBUG -- : true
>> > D, [2014-05-15T19:47:03.289819 #7893] DEBUG -- : omshell: executed -
>> set
>> > hardware-type = 1
>> > D, [2014-05-15T19:47:03.289933 #7893] DEBUG -- : true
>> > D, [2014-05-15T19:47:03.290285 #7893] DEBUG -- : omshell: executed -
>> set
>> > statements = "filename = \"pxelinux.0\"; next-server = c0:a8:00:cf;
>> option
>> > host-name = \"example-04.example.com\";"
>> > D, [2014-05-15T19:47:03.290396 #7893] DEBUG -- : true
>> > D, [2014-05-15T19:47:03.290548 #7893] DEBUG -- : omshell: executed -
create
>> > D, [2014-05-15T19:47:03.290700 #7893] DEBUG -- : true
>> > I, [2014-05-15T19:47:03.315293 #7893] INFO -- : Added DHCP
>> reservation
>> > for
>> > example-04.example.com (192.168.0.25 / 00:50:56:90:72:22)
>> > ---------------------------------
>> > ==================
>> > /var/log/messages
>> > ==================
>> > May 15 19:47:36 ns dhcpd: DHCPOFFER on 192.168.0.25 to
>> 00:50:56:90:72:22
>> > via eth1
>> > May 15 19:47:38 ns dhcpd: Dynamic and static leases present for
192.168.0.25.
>> > May 15 19:47:38 ns dhcpd: Remove host declaration
>> example-04.example.com
>> > or
>> > remove 192.168.0.25
>> > May 15 19:47:38 ns dhcpd: from the dynamic address pool for
>> 192.168.0.0/24
>> > May 15 19:47:38 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1)
>> from
>> > 00:50:56:90:72:22 via eth1
>> > May 15 19:47:38 ns dhcpd: DHCPACK on 192.168.0.25 to
00:50:56:90:72:22
>> via
>> > eth1
>> > ------------------
>> > ==========================
>> > /var/lib/dhcp/dhcpd.leases
>> > ==========================
>> > host example-04.example.com {
>> > dynamic;
>> > hardware ethernet 00:50:56:90:72:22;
>> > fixed-address 192.168.0.25;
>> > supersede server.filename = "pxelinux.0";
>> > supersede server.next-server = c0:a8:00:cf;
>> > supersede host-name = "example-04.example.com";
>> > }
>> > --------------------------
>> > 2. The Foreman tells foreman-proxy to create A and PTR records at
>> BIND's
>> > zones for a new host via nsupdate (2)
>> > =================================
>> > /var/log/foreman-proxy/proxy.log
>> > =================================
>> > D, [2014-05-15T19:47:03.464086 #7893] DEBUG -- : running
>> /usr/bin/nsupdate
>> > -k /etc/foreman-proxy/foreman_proxy.key
>> > D, [2014-05-15T19:47:03.465195 #7893] DEBUG -- : nsupdate: executed -
server 127.0.0.1
>> > D, [2014-05-15T19:47:03.470943 #7893] DEBUG -- : nsupdate: executed -
update add example-04.example.com. 86400 A 192.168.0.25
>> > D, [2014-05-15T19:47:03.658748 #7893] DEBUG -- : running
>> /usr/bin/nsupdate
>> > -k /etc/foreman-proxy/foreman_proxy.key
>> > D, [2014-05-15T19:47:03.659858 #7893] DEBUG -- : nsupdate: executed -
server 127.0.0.1
>> > D, [2014-05-15T19:47:03.662425 #7893] DEBUG -- : nsupdate: executed -
update add 25.0.168.192.in-addr.arpa. 86400 IN PTR
>> > example-04.example.com.
>> > ---------------------------------
>> > ===================
>> > /var/lib/named.run
>> > ===================
>> > 15-May-2014 19:47:03.474 update: info: client 127.0.0.1#1904:
updating
>> > zone
>> > 'example.com/IN': adding an RR at 'example-04.example.com' A
>> > 15-May-2014 19:47:03.669 update: info: client 127.0.0.1#34958:
>> updating
>> > zone '0.168.192.in-addr.arpa/IN': adding an RR at
>> > '25.0.168.192.in-addr.arpa' PTR
>> > 3. When host completely configured, it try to boot by pxe:
>> > ===========================
>> > /var/log/messages
>> > ===========================
>> > May 15 19:48:11 ns dhcpd: DHCPDISCOVER from 00:50:56:90:72:22 via
eth1
>> > May 15 19:48:11 ns dhcpd: DHCPOFFER on 192.168.0.25 to
>> 00:50:56:90:72:22
>> > via eth1
>> > May 15 19:48:11 ns dhcpd: Dynamic and static leases present for
192.168.0.25.
>> > May 15 19:48:11 ns dhcpd: Remove host declaration
>> example-04.example.com
>> > or
>> > remove 192.168.0.25
>> > May 15 19:48:11 ns dhcpd: from the dynamic address pool for
>> 192.168.0.0/24
>> > May 15 19:48:11 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1)
>> from
>> > 00:50:56:90:72:22 via eth1
>> > May 15 19:48:11 ns dhcpd: DHCPACK on 192.168.0.25 to
00:50:56:90:72:22
>> via
>> > eth1
>> > 4. When host starts to configure its network interface and received
address, dhcpd initiates update bind's zones (I hope I understand
this
>> > mechanism properly):
>> > ===========================
>> > /var/log/messages
>> > ===========================
>> > May 15 19:48:20 ns dhcpd: DHCPDISCOVER from 00:50:56:90:72:22 via
eth1
>> > May 15 19:48:20 ns dhcpd: DHCPOFFER on 192.168.0.25 to
>> 00:50:56:90:72:22
>> > via eth1
>> > May 15 19:48:20 ns dhcpd: Dynamic and static leases present for
192.168.0.25.
>> > May 15 19:48:20 ns dhcpd: Remove host declaration
>> example-04.example.com
>> > or
>> > remove 192.168.0.25
>> > May 15 19:48:20 ns dhcpd: from the dynamic address pool for
>> 192.168.0.0/24
>> > May 15 19:48:20 ns dhcpd: Added new forward map from
>> > example-04.example.com.example.com to 192.168.0.25
>> > May 15 19:48:20 ns dhcpd: added reverse map from
>> > 25.0.168.192.in-addr.arpa.
>> > to example-04.example.com.example.com
>> > May 15 19:48:20 ns dhcpd: DHCPREQUEST for 192.168.0.25 (192.168.0.1)
>> from
>> > 00:50:56:90:72:22 via eth1
>> > May 15 19:48:20 ns dhcpd: DHCPACK on 192.168.0.25 to
00:50:56:90:72:22
>> via
>> > eth1
>> > ---------------------------
>> > ===================
>> > /var/lib/named.run
>> > ===================
>> > 15-May-2014 19:48:20.229 update: info: client 192.168.0.1#55653:
>> updating
>> > zone 'example.com/IN': adding an RR at
>> > 'example-04.example.com.example.com'
>> > A
>> > 15-May-2014 19:48:20.229 update: info: client 192.168.0.1#55653:
>> updating
>> > zone 'example.com/IN': adding an RR at
>> > 'example-04.example.com.example.com'
>> > TXT
>> > 15-May-2014 19:48:20.274 update: info: client 192.168.0.1#38704:
>> updating
>> > zone '0.168.192.in-addr.arpa/IN': deleting rrset at
>> > '25.0.168.192.in-addr.arpa' PTR
>> > 15-May-2014 19:48:20.274 update: info: client 192.168.0.1#38704:
>> updating
>> > zone '0.168.192.in-addr.arpa/IN': adding an RR at
>> > '25.0.168.192.in-addr.arpa' PTR
>> > -------------------
>> > So, I can't figure out: if I told dhcpd "do not attempt any updates
>> when
>> > the client received address or this is a static lease etc.", why it
continue updates zones?
>> > Alex
>> > 2014-05-12 10:29 GMT+04:00 Peter Rathlev <peter at rathlev.dk>:
>> >> On Mon, 2014-04-28 at 17:14 +0400, Alexei V. Schukin wrote:
>> >>> I'm trying to exclude one pool of subnet from dynamic updates.
>> >> ...
>> >>> subnet 192.168.0.1 netmask 255.255.255.0 {
>> >>> pool {
>> >>> range 192.168.0.10 192.168.0.20;
>> >>> deny unknown-clients;
>> >>> ddns-updates off;
>> >>> ignore client-updates;
>> >> ...
>> >>> But it doesn't work: dhcpd still updating dns within this address
>> pool.
>> >>> What I'm missing?
>> >> Are you sure it's dhcpd that does the updating? Does it say so in
the
>> >> logs? The above configuration would make the client try updating
>> itself.
>> >> It of course needs permission to do this.
>> >> --
>> >> Peter
>> >> _______________________________________________
>> >> dhcp-users mailing list
>> >> dhcp-users at lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/dhcp-users
>> > _______________________________________________
>> > dhcp-users mailing list
>> > dhcp-users at lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/dhcp-users
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list