DHCP - DDNS Update
lejeczek
peljasz at yahoo.co.uk
Tue May 16 15:32:43 UTC 2023
On 25/04/2023 17:47, Jeremey Wise wrote:
>
> Greetings, and sorry up front for large email. But joining
> this forum and wanted to be comprehensive in my posting.
> I googled around and seems I am not the only one with
> questions on how to do this task, as things have changed
> with certs and updates. Hopefully this email formats in a
> means to make it easy for others to review and toss out
> ideas / links to where I can RTFM.
>
> I am being tasked to help out with a POC / Demo lab. It
> is a pair of VMs, running Ubuntu 22.04 fully updated /
> patched.
>
> ###
> dnsuser at ps-dns-01:~$ named -v
> BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support
> Version) <id:>
> dnsuser at ps-dns-01:~$ apt list |grep dhcp
>
> WARNING: apt does not have a stable CLI interface. Use
> with caution in scripts.
>
> dhcp-helper/jammy 1.2-3 amd64
> dhcp-probe/jammy 1.3.0-10.1build2 amd64
> dhcpcanon/jammy 0.8.5-2 all
> dhcpcd-dbus/jammy 0.6.1-2 amd64
> dhcpcd-gtk/jammy 0.7.8-1 amd64
> dhcpcd5/jammy 7.1.0-2build1 amd64
> dhcpd-pools/jammy 2.29-1.1 amd64
> dhcpdump/jammy 1.8-2.2 amd64
> dhcpig/jammy 1.5-3 all
> dhcping/jammy 1.2-5 amd64
> dhcpoptinj/jammy 0.5.3-1 amd64
> dhcpstarv/jammy 0.2.2-2 amd64
> dhcpy6d/jammy 1.0.7-1 all
> freeradius-dhcp/jammy-updates,jammy-security
> 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 amd64
> fusiondirectory-plugin-dhcp-schema/jammy 1.3-4build1 all
> fusiondirectory-plugin-dhcp/jammy 1.3-4build1 all
> golang-github-d2g-dhcp4-dev/jammy 0.0~git20150413-3 all
> golang-github-d2g-dhcp4client-dev/jammy 1.0.0-2 all
> golang-github-insomniacslk-dhcp-dev/jammy
> 0.0~git20200621.d74cd86-1 all
> golang-github-mdlayher-dhcp6-dev/jammy
> 0.0~git20190311.2a67805-2 all
> gosa-plugin-dhcp-schema/jammy 2.7.4+reloaded3-16build1 all
> gosa-plugin-dhcp/jammy 2.7.4+reloaded3-16build1 all
> isc-dhcp-client-ddns/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
> isc-dhcp-client/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64
> [installed,automatic]
> isc-dhcp-common/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64
> [installed,automatic]
> isc-dhcp-dev/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
> isc-dhcp-relay/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
> isc-dhcp-server-ldap/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
> isc-dhcp-server/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64
> [installed]
> kea-dhcp-ddns-server/jammy 2.0.2-1 amd64
> kea-dhcp4-server/jammy 2.0.2-1 amd64
> kea-dhcp6-server/jammy 2.0.2-1 amd64
> libnet-dhcp-perl/jammy 0.696+dfsg-1 all
> libnet-dhcpv6-duid-parser-perl/jammy 1.01-2.1 all
> librust-dhcp4r-dev/jammy 0.2.0-1 amd64
> libtext-dhcpleases-perl/jammy 1.0-2.1 all
> neutron-dhcp-agent/jammy-updates 2:20.2.0-0ubuntu1 all
> opendrim-lmp-dhcp/jammy 1.0.0-0ubuntu2 amd64
> python3-isc-dhcp-leases/jammy 0.9.1-2 all
> udhcpc/jammy 1:1.30.1-7ubuntu3 amd64
> udhcpd/jammy 1:1.30.1-7ubuntu3 amd64
> wide-dhcpv6-client/jammy 20080615-23build1 amd64
> wide-dhcpv6-relay/jammy 20080615-23build1 amd64
> wide-dhcpv6-server/jammy 20080615-23build1 amd64
> dnsuser at ps-dns-01:~$
> ###
>
>
> Goal:
>
> 1. HA DNS and DHCP (failover / fail back)
> 2. DDNS updates from registered DHCP clients for PTR and
> A records (ipv4 only for now)
>
>
> Issues:
>
> 1. Getting flooding in /var/log/syslog , every update ..
>
> ###
> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: DHCPACK on
> 10.89.132.129 to 00:50:56:97:2b:f7 (op-web2) via 10.89.132.1
> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: bind update on
> 10.89.132.129 from dhcpfailover rejected: incoming update
> is less critical than outgoing update
> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: Unable to add
> forward map from op-web2.ps.labs.local to 10.89.132.129:
> REFUSED
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for
> 10.89.132.130 from 00:50:56:97:df:98 (easytravel) via ens160
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on
> 10.89.132.130 to 00:50:56:97:df:98 (easytravel) via ens160
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for
> 10.89.132.130 from 00:50:56:97:df:98 (easytravel) via
> 10.89.132.1
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on
> 10.89.132.130 to 00:50:56:97:df:98 (easytravel) via
> 10.89.132.1
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on
> 10.89.132.130 from dhcpfailover rejected: incoming update
> is less critical than outgoing update
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on
> 10.89.132.130 from dhcpfailover rejected: incoming update
> is less critical than outgoing update
> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: Unable to add
> forward map from easytravel.ps.labs.local to
> 10.89.132.130: REFUSED
> Apr 25 14:51:38 ps-dns-02 named[184617]: client
> @0x7f20082400b8 10.89.132.90#50112
> (mdbrtr-cisco-assist-00-ps-labs-local-svc): query (cache)
> 'mdbrtr-cisco-assist-00-ps-labs-local-svc/AAAA/IN' denied
> (allow-query-cache did not match)
> Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: reuse_lease:
> lease age 122 (secs) under 25% threshold, reply with
> unaltered, existing lease for 10.89.135.132
> Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: DHCPREQUEST for
> 10.89.135.132 from 00:50:56:8b:a5:85 via ens160
> ###
> Similar posting was made with note that this would require
> configuration file review for what was / is misconfigured:
> https://dhcp-users.isc.narkive.com/KngCfNx3/rejected-incoming-update-is-less-critical-than-outgoing-update
>
>
> As such below is sample of zone and DHCP /DNS configuration.
>
> I read through documents https://kb.isc.org/docs/aa-01588
> But did not see where their is misconfiguration in my
> configurations.
>
> cat /etc/dhcp/dhcpd.conf
>
> ps-dns-01 ps-dns-02
> # option definitions common to all supported networks...
> option domain-name "ps.labs.local";
> option domain-search "ps.labs.local";
> option domain-name-servers 10.89.100.152, 10.89.100.153;
> option time-offset -6;
> option ntp-servers 10.89.66.1;
> option time-servers 10.89.66.1;
> #ddns-domainname "ps.labs.local";
> default-lease-time 600;
> max-lease-time 7200;
>
>
> # Failover declaration
> failover peer "dhcpfailover" {
> primary; # primary server declaration
> address 10.89.100.152;
> port 647;
> peer address 10.89.100.153;
> peer port 647;
> max-response-delay 60;
> max-unacked-updates 10;
> mclt 3600;
> split 128;
> load balance max seconds 3;
> }
>
>
> key pslabslocal {
> secret cHNsYWJzbG9jYWw=;
> algorithm hmac-md5;
> }
>
> # The ddns-updates-style parameter controls whether or not
> the server will
> # attempt to do a DNS update when a lease is confirmed. We
> default to the
> # behavior of the version 2 packages ('none', since DHCP
> v2 didn't
> # have support for DDNS.)
> ddns-update-style standard;
>
> # If this DHCP server is the official DHCP server for the
> local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> # Use this to send dhcp log messages to a different log
> file (you also
> # have to hack syslog.conf to complete the redirection).
> #log-facility local7;
>
> # No service will be given on this subnet, but declaring
> it helps the
> # DHCP server to understand the network topology. This is
> for local NIC listening to dhcp broadcasts.
> subnet 10.89.100.0 netmask 255.255.255.0 {
> }
>
> # ps_labs_local_infrastructure
> subnet 10.89.128.0 netmask 255.255.255.0 {
> }
>
> # hx06 dynamic
> subnet 10.89.130.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.130.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.130.10 10.89.130.254;
> }
> }
>
> # hx07 dynamic
> subnet 10.89.132.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.132.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.132.10 10.89.132.254;
> }
> }
>
> # UCSX dynamic
> subnet 10.89.134.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.134.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.134.10 10.89.134.254;
> }
> }
>
> # The following three network are for Tanzu work in hx06
> # Update 20221004 by JW. Data is all static as is mgmt.
> Workload is all DHCP
> # subnet 10.89.135.0 netmask 255.255.255.224
>
> # k8s-tz-data-hx06 dynamic
> subnet 10.89.135.0 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.2 10.89.135.30;
> }
> }
>
> # k8s-tz-workload-hx06 dynamic
> subnet 10.89.135.32 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.33;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.34 10.89.135.63;
> }
> }
>
> # k8s-tz-mgmt-hx06 dynamic
> subnet 10.89.135.64 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.65;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.66 10.89.135.94;
> }
> }
>
> # k8s-ocp-data-hx06
> subnet 10.89.135.96 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.97;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.98 10.89.135.126;
> }
> }
>
> # k8s-ocp-workload-hx06
> subnet 10.89.135.128 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.129;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.130 10.89.135.158;
> }
> }
>
> # k8s-rke-mgmt-hx06
> subnet 10.89.135.160 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.161;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.162 10.89.135.190;
> }
> # ocpbastion
> host ocpbastion {
> hardware ethernet 00:50:56:8b:db:a4;
> fixed-address 10.89.135.190;
> }
> }
>
> # k8s-rke-data-hx06
> subnet 10.89.135.192 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.193;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.194 10.89.135.222;
> }
> }
>
> # k8s-rke-workload-hx06
> subnet 10.89.135.224 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.225;
> option routers 10.89.135.193;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.226 10.89.135.253;
> }
> }
>
>
> # Host reservations
> host tanzuprod-service-control-plane-bbwwb {
> hardware ethernet 00:50:56:8b:71:bf;
> fixed-address 10.89.135.48;
> }
> <snip>
> host tanzuprod-workload-control-plane-zvm6t {
> hardware ethernet 00:50:56:8b:75:83;
> fixed-address 10.89.135.50;
> }
>
> # DV Presales Lab
> zone ps.labs.local. {
> primary 10.89.100.152;
> key pslabslocal;
> }
>
> # option definitions common to all supported networks...
> option domain-name "ps.labs.local";
> option domain-search "ps.labs.local";
> option domain-name-servers 10.89.100.152, 10.89.100.153;
> option time-offset -6;
> option ntp-servers 10.89.66.1;
> option time-servers 10.89.66.1;
> #ddns-domainname "ps.labs.local";
> default-lease-time 600;
> max-lease-time 7200;
>
>
> # Failover declaration
> failover peer "dhcpfailover" {
> secondary; # secondary server declaration
> address 10.89.100.153;
> port 647;
> peer address 10.89.100.152;
> peer port 647;
> max-response-delay 60;
> max-unacked-updates 10;
> load balance max seconds 3;
> }
>
>
> key pslabslocal {
> secret cHNsYWJzbG9jYWw=;
> algorithm hmac-md5;
> }
>
> # The ddns-updates-style parameter controls whether or not
> the server will
> # attempt to do a DNS update when a lease is confirmed. We
> default to the
> # behavior of the version 2 packages ('none', since DHCP
> v2 didn't
> # have support for DDNS.)
> ddns-update-style standard;
>
> # If this DHCP server is the official DHCP server for the
> local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> # Use this to send dhcp log messages to a different log
> file (you also
> # have to hack syslog.conf to complete the redirection).
> #log-facility local7;
>
> # No service will be given on this subnet, but declaring
> it helps the
> # DHCP server to understand the network topology. This is
> for local NIC listening to dhcp broadcasts.
> subnet 10.89.100.0 netmask 255.255.255.0 {
> }
>
> # ps_labs_local_infrastructure
> subnet 10.89.128.0 netmask 255.255.255.0 {
> }
>
> # hx06 dynamic
> subnet 10.89.130.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.130.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.130.10 10.89.130.254;
> }
> }
>
> # hx07 dynamic
> subnet 10.89.132.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.132.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.132.10 10.89.132.254;
> }
> }
>
> # UCSX dynamic
> subnet 10.89.134.0 netmask 255.255.255.0 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.134.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.134.10 10.89.134.254;
> }
> }
>
> # The following three network are for Tanzu work in hx06
> # Update 20221004 by JW. Data is all static as is mgmt.
> Workload is all DHCP
> # subnet 10.89.135.0 netmask 255.255.255.224
>
> # k8s-tz-data-hx06 dynamic
> subnet 10.89.135.0 netmask 255.255.255.224 {
> ddns-updates on;
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.1;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.2 10.89.135.30;
> }
> }
>
> # k8s-tz-workload-hx06 dynamic
> subnet 10.89.135.32 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.33;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.34 10.89.135.63;
> }
> }
>
> # k8s-tz-mgmt-hx06 dynamic
> subnet 10.89.135.64 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.65;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.66 10.89.135.94;
> }
> }
>
> # k8s-ocp-data-hx06
> subnet 10.89.135.96 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.97;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.98 10.89.135.126;
> }
> }
>
> # k8s-ocp-workload-hx06
> subnet 10.89.135.128 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.129;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.130 10.89.135.158;
> }
> }
>
> # k8s-rke-mgmt-hx06
> subnet 10.89.135.160 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.161;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.162 10.89.135.190;
> }
> }
>
> # k8s-rke-data-hx06
> subnet 10.89.135.192 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.152;
> option routers 10.89.135.193;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.194 10.89.135.222;
> }
> }
>
> # k8s-rke-workload-hx06
> subnet 10.89.135.224 netmask 255.255.255.224 {
> option domain-name-servers 10.89.100.225;
> option routers 10.89.135.193;
> pool {
> failover peer "dhcpfailover";
> range 10.89.135.226 10.89.135.253;
> }
> }
>
> # Host reservations
> host tanzuprod-service-control-plane-bbwwb {
> hardware ethernet 00:50:56:8b:71:bf;
> fixed-address 10.89.135.48;
> }
> <snip>
> host tanzuprod-workload-control-plane-zvm6t {
> hardware ethernet 00:50:56:8b:75:83;
> fixed-address 10.89.135.50;
> }
>
> # DV Presales Lab
> zone ps.labs.local. {
> primary 10.89.100.152;
> key pslabslocal;
> }
> dnsuser at ps-dns-02:~$
>
>
>
> DDNS
>
> cat /etc/bind/named.conf
>
> ps-dns-01 ps-dns-02
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> server 10.89.9.10 {
> };
> server 10.89.9.107 {
> };
> key pslabslocal {
> algorithm hmac-md5;
> secret "c<snip>w=";
> };
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> key pslabslocal {
> algorithm hmac-md5;
> secret "c<snip>w=";
> };
> server 10.89.100.153 {
> transfer-format many-answers;
> keys {
> pslabslocal;
> };
> };
>
> " /etc/bind/named.conf.options"
> listen-on-v6 { any; };
> forwarders {
> 10.89.9.10;
> 10.89.9.107;
> };
> recursion yes;
> allow-query {
> any;
> };
> allow-recursion {
> any;
> };
> };
>
> "/etc/bind/named.conf.options"
> options {
> directory "/var/cache/bind";
>
>
> listen-on-v6 { any; };
> };
> "/etc/bind/named.conf.local"
> zone "ps.labs.local" {
> type master;
> file "/var/lib/bind/ps.labs.local.hosts";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
> zone "128.89.10.in-addr.arpa" {
> type master;
> file "/var/lib/bind/10.89.128.rev";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
> zone "129.89.10.in-addr.arpa" {
> type master;
> file "/var/lib/bind/10.89.129.rev";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
> <snip other zones but all structured same>
>
> "/etc/bind/named.conf.local"
> zone "130.89.10.in-addr.arpa" {
> type slave;
> masters {
> 10.89.100.152;
> };
> allow-transfer {
> 10.89.100.152;
> };
> file "/var/lib/bind/10.89.130.rev";
> };
> zone "ps.labs.local" {
> type slave;
> masters {
> 10.89.100.152;
> };
> allow-transfer {
> 10.89.100.152;
> };
> file "/var/lib/bind/ps.labs.local.hosts";
> };
> zone "128.89.10.in-addr.arpa" {
> type slave;
> masters {
> 10.89.100.152;
> };
> allow-transfer {
> 10.89.100.152;
> };
> file "/var/lib/bind/10.89.128.rev";
> };
> <snip other zones but all structured same>
> "/etc/bind/named.conf.default-zones"
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> also-notify {
> 10.89.100.153;
> };
> allow-transfer {
> 10.89.100.153;
> };
> };
>
>
>
>
> "/etc/bind/named.conf.default-zones"
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
>
> Questions:
>
> 1. What is missconfigured to get flood of events about
> DHCP cache?
> 2. Why are not DHCP leases pushing updates to DNS to
> create recoreds (A and PTR)
> 3. I see almost no logs as I boot up test Vm. and get
> lease.. as to attempts to create from DHCP to DNS ..
> Where are the logs for these to track down DDNS
> communication.
> 4. DNS server on replica is not a flat file but a binary
> hash replica. In event of failover (Ex: ps-dns-01)
> goes offline..) , how would DHCP push via DDNS update
> records of server?
>
>
> Thanks,
>
> Penguinpages
>
>
>
ough. html messages, specially long ones - not good recipe
for mailing lists.
I'll not offer any turn-key-ready fixes for your issues but
perhaps, I can share some ideas..
also a question - how do you keep your dns servers in sync?
These are flat-file backends right? Do you do any
dynamic-a/sync with them DNSes? If you do....
I'd suggest - perhaps as others did/do - to use a bit more
comprehensive systems for domain(+a lot more) management - I
don't know if they have it over at Ubuntu/Canonical but, I'd
recommend freeIPA - that is perhaps much steeper learning
curve but once sussed out, will do a plethora of things for you.
On DHCP - I'd, as I usually do, run only one dhcp
daemon/service for a given(topologically) sub/net. Have it
set up & ready on multiple nodes but run only ! one at any
times, with help of, managed by some simple outside of
dhcpd, solution / something like NM's dispatcher can do in
some cases. Here you should have only one file to keep in
sync - dhcpd config - between the nodes.
Glancing through your configs - seems that you have set your
'keys' but are those not missing in/for DNS ? - which dns
also must allow specific zones to be updated, or not, via
use of 'update-policy'.
eg.
...
zone "direct" IN {
auto-dnssec maintain;
key-directory "myzones";
allow-query { localhost; private.pawel; };
#allow-update { key dhcpd; key nsupdate_key; };
update-policy {
#grant dhcpd subdomain *.direct A CNAME TXT;
#grant nsupdate_key subdomain *.direct SOA NS A CNAME
TXT;
grant dhcpd wildcard *.direct A CNAME TXT;
grant nsupdate_key wildcard *.direct A CNAME TXT;
};
# below line would be for a slave/stub secondary server
allow-transfer { localbox; 10.3.1.220; };
type master;
file "myzones/direct.signed";
};
...
but again,
And probably best advice ever(for now) - unless you knew
this already but had no choice - even numbers, when it comes
to computer systems, are not your friends.
bw. L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20230516/372d0d51/attachment-0001.htm>
More information about the dhcp-users
mailing list