DHCP - DDNS Update
glenn.satchell at uniq.com.au
glenn.satchell at uniq.com.au
Wed May 17 00:38:49 UTC 2023
Hi,
You are using the default syslog settings, which logs at a verbose
level. You can customise this.
For example in dhcpd.conf:
log-facility local7;
Then is rsyslog you can log with the required detail, eg this is what I
have in /etc/rsyslog.d/60-local.conf
# logging for isc-dhcpd-server
local7.* -/var/log/dhcp/dhcp.log
and to stop dhcp messages going to /var/log/syslog in
/etc/rsyslog.d/50-default.conf
*.*;local7,auth,authpriv.none -/var/log/syslog
You can experiment with other things than local7.* to get the level you
want, perhaps
local7.notice
or
local7.warning
If you put notice then you get all the higher level log messages:
warning, error, crit, alert, emerg.
See the man page rsyslog.conf for the definition of facilities (local7)
and priorities (notice).
The facility is one of the following keywords: auth, authpriv,
cron,
daemon, kern, lpr, mail, mark, news, security (same as auth),
syslog,
user, uucp and local0 through local7. The keyword security
should not
be used anymore and mark is only for internal use and therefore
should
not be used in applications. Anyway, you may want to specify and
redi‐
rect these messages here. The facility specifies the subsystem
that
produced the message, i.e. all mail programs log with the mail
facility
(LOG_MAIL) if they log using syslog.
The priority is one of the following keywords, in ascending
order: de‐
bug, info, notice, warning, warn (same as warning), err, error
(same as
err), crit, alert, emerg, panic (same as emerg). The keywords
error,
warn and panic are deprecated and should not be used anymore.
The pri‐
ority defines the severity of the message.
The behavior of the original BSD syslogd is that all messages
of the
specified priority and higher are logged according to the given
action.
Rsyslogd behaves the same, but has some extensions.
regards,
Glenn
On 2023-05-17 01:32, lejeczek wrote:
> On 25/04/2023 17:47, Jeremey Wise wrote:
>
>> Greetings, and sorry up front for large email. But joining this forum
>> and wanted to be comprehensive in my posting. I googled around and
>> seems I am not the only one with questions on how to do this task, as
>> things have changed with certs and updates. Hopefully this email
>> formats in a means to make it easy for others to review and toss out
>> ideas / links to where I can RTFM.
>>
>> I am being tasked to help out with a POC / Demo lab. It is a pair of
>> VMs, running Ubuntu 22.04 fully updated / patched.
>>
>> ###
>> dnsuser at ps-dns-01:~$ named -v
>> BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
>> dnsuser at ps-dns-01:~$ apt list |grep dhcp
>>
>> WARNING: apt does not have a stable CLI interface. Use with caution in
>> scripts.
>>
>> dhcp-helper/jammy 1.2-3 amd64
>> dhcp-probe/jammy 1.3.0-10.1build2 amd64
>> dhcpcanon/jammy 0.8.5-2 all
>> dhcpcd-dbus/jammy 0.6.1-2 amd64
>> dhcpcd-gtk/jammy 0.7.8-1 amd64
>> dhcpcd5/jammy 7.1.0-2build1 amd64
>> dhcpd-pools/jammy 2.29-1.1 amd64
>> dhcpdump/jammy 1.8-2.2 amd64
>> dhcpig/jammy 1.5-3 all
>> dhcping/jammy 1.2-5 amd64
>> dhcpoptinj/jammy 0.5.3-1 amd64
>> dhcpstarv/jammy 0.2.2-2 amd64
>> dhcpy6d/jammy 1.0.7-1 all
>> freeradius-dhcp/jammy-updates,jammy-security
>> 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 amd64
>> fusiondirectory-plugin-dhcp-schema/jammy 1.3-4build1 all
>> fusiondirectory-plugin-dhcp/jammy 1.3-4build1 all
>> golang-github-d2g-dhcp4-dev/jammy 0.0~git20150413-3 all
>> golang-github-d2g-dhcp4client-dev/jammy 1.0.0-2 all
>> golang-github-insomniacslk-dhcp-dev/jammy 0.0~git20200621.d74cd86-1
>> all
>> golang-github-mdlayher-dhcp6-dev/jammy 0.0~git20190311.2a67805-2 all
>> gosa-plugin-dhcp-schema/jammy 2.7.4+reloaded3-16build1 all
>> gosa-plugin-dhcp/jammy 2.7.4+reloaded3-16build1 all
>> isc-dhcp-client-ddns/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
>> isc-dhcp-client/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64
>> [installed,automatic]
>> isc-dhcp-common/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64
>> [installed,automatic]
>> isc-dhcp-dev/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
>> isc-dhcp-relay/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
>> isc-dhcp-server-ldap/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
>> isc-dhcp-server/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed]
>> kea-dhcp-ddns-server/jammy 2.0.2-1 amd64
>> kea-dhcp4-server/jammy 2.0.2-1 amd64
>> kea-dhcp6-server/jammy 2.0.2-1 amd64
>> libnet-dhcp-perl/jammy 0.696+dfsg-1 all
>> libnet-dhcpv6-duid-parser-perl/jammy 1.01-2.1 all
>> librust-dhcp4r-dev/jammy 0.2.0-1 amd64
>> libtext-dhcpleases-perl/jammy 1.0-2.1 all
>> neutron-dhcp-agent/jammy-updates 2:20.2.0-0ubuntu1 all
>> opendrim-lmp-dhcp/jammy 1.0.0-0ubuntu2 amd64
>> python3-isc-dhcp-leases/jammy 0.9.1-2 all
>> udhcpc/jammy 1:1.30.1-7ubuntu3 amd64
>> udhcpd/jammy 1:1.30.1-7ubuntu3 amd64
>> wide-dhcpv6-client/jammy 20080615-23build1 amd64
>> wide-dhcpv6-relay/jammy 20080615-23build1 amd64
>> wide-dhcpv6-server/jammy 20080615-23build1 amd64
>> dnsuser at ps-dns-01:~$ ###
>>
>> Goal:
>>
>> * HA DNS and DHCP (failover / fail back)
>> * DDNS updates from registered DHCP clients for PTR and A records
>> (ipv4 only for now)
>>
>> Issues:
>>
>> * Getting flooding in /var/log/syslog , every update ..
>>
>> ###
>> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.129 to
>> 00:50:56:97:2b:f7 (op-web2) via 10.89.132.1
>> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.129
>> from dhcpfailover rejected: incoming update is less critical than
>> outgoing update
>> Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: Unable to add forward map
>> from op-web2.ps.labs.local to 10.89.132.129: REFUSED
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130
>> from 00:50:56:97:df:98 (easytravel) via ens160
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to
>> 00:50:56:97:df:98 (easytravel) via ens160
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130
>> from 00:50:56:97:df:98 (easytravel) via 10.89.132.1
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to
>> 00:50:56:97:df:98 (easytravel) via 10.89.132.1
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130
>> from dhcpfailover rejected: incoming update is less critical than
>> outgoing update
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130
>> from dhcpfailover rejected: incoming update is less critical than
>> outgoing update
>> Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: Unable to add forward map
>> from easytravel.ps.labs.local to 10.89.132.130: REFUSED
>> Apr 25 14:51:38 ps-dns-02 named[184617]: client @0x7f20082400b8
>> 10.89.132.90#50112 (mdbrtr-cisco-assist-00-ps-labs-local-svc): query
>> (cache) 'mdbrtr-cisco-assist-00-ps-labs-local-svc/AAAA/IN' denied
>> (allow-query-cache did not match)
>> Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: reuse_lease: lease age 122
>> (secs) under 25% threshold, reply with unaltered, existing lease for
>> 10.89.135.132
>> Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.135.132
>> from 00:50:56:8b:a5:85 via ens160
>> ###
>> Similar posting was made with note that this would require
>> configuration file review for what was / is misconfigured:
>> https://dhcp-users.isc.narkive.com/KngCfNx3/rejected-incoming-update-is-less-critical-than-outgoing-update
>>
>> As such below is sample of zone and DHCP /DNS configuration.
>>
>> I read through documents https://kb.isc.org/docs/aa-01588 But did
>> not see where their is misconfiguration in my configurations.
>>
>> cat /etc/dhcp/dhcpd.conf
>>
>> ps-dns-01
>> ps-dns-02
>>
>> # option definitions common to all supported networks...
>> option domain-name "ps.labs.local";
>> option domain-search "ps.labs.local";
>> option domain-name-servers 10.89.100.152, 10.89.100.153;
>> option time-offset -6;
>> option ntp-servers 10.89.66.1;
>> option time-servers 10.89.66.1;
>> #ddns-domainname "ps.labs.local";
>> default-lease-time 600;
>> max-lease-time 7200;
>>
>> # Failover declaration
>> failover peer "dhcpfailover" {
>> primary; # primary server declaration
>> address 10.89.100.152;
>> port 647;
>> peer address 10.89.100.153;
>> peer port 647;
>> max-response-delay 60;
>> max-unacked-updates 10;
>> mclt 3600;
>> split 128;
>> load balance max seconds 3;
>> }
>>
>> key pslabslocal {
>> secret cHNsYWJzbG9jYWw=;
>> algorithm hmac-md5;
>> }
>>
>> # The ddns-updates-style parameter controls whether or not the server
>> will
>> # attempt to do a DNS update when a lease is confirmed. We default to
>> the
>> # behavior of the version 2 packages ('none', since DHCP v2 didn't
>> # have support for DDNS.)
>> ddns-update-style standard;
>>
>> # If this DHCP server is the official DHCP server for the local
>> # network, the authoritative directive should be uncommented.
>> authoritative;
>>
>> # Use this to send dhcp log messages to a different log file (you also
>> # have to hack syslog.conf to complete the redirection).
>> #log-facility local7;
>>
>> # No service will be given on this subnet, but declaring it helps the
>> # DHCP server to understand the network topology. This is for local
>> NIC listening to dhcp broadcasts.
>> subnet 10.89.100.0 netmask 255.255.255.0 {
>> }
>>
>> # ps_labs_local_infrastructure
>> subnet 10.89.128.0 netmask 255.255.255.0 {
>> }
>>
>> # hx06 dynamic
>> subnet 10.89.130.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.130.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.130.10 10.89.130.254;
>> }
>> }
>>
>> # hx07 dynamic
>> subnet 10.89.132.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.132.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.132.10 10.89.132.254;
>> }
>> }
>>
>> # UCSX dynamic
>> subnet 10.89.134.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.134.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.134.10 10.89.134.254;
>> }
>> }
>>
>> # The following three network are for Tanzu work in hx06
>> # Update 20221004 by JW. Data is all static as is mgmt. Workload is
>> all DHCP
>> # subnet 10.89.135.0 netmask 255.255.255.224
>>
>> # k8s-tz-data-hx06 dynamic
>> subnet 10.89.135.0 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.2 10.89.135.30;
>> }
>> }
>>
>> # k8s-tz-workload-hx06 dynamic
>> subnet 10.89.135.32 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.33;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.34 10.89.135.63;
>> }
>> }
>>
>> # k8s-tz-mgmt-hx06 dynamic
>> subnet 10.89.135.64 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.65;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.66 10.89.135.94;
>> }
>> }
>>
>> # k8s-ocp-data-hx06
>> subnet 10.89.135.96 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.97;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.98 10.89.135.126;
>> }
>> }
>>
>> # k8s-ocp-workload-hx06
>> subnet 10.89.135.128 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.129;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.130 10.89.135.158;
>> }
>> }
>>
>> # k8s-rke-mgmt-hx06
>> subnet 10.89.135.160 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.161;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.162 10.89.135.190;
>> }
>> # ocpbastion
>> host ocpbastion {
>> hardware ethernet 00:50:56:8b:db:a4;
>> fixed-address 10.89.135.190;
>> }
>> }
>>
>> # k8s-rke-data-hx06
>> subnet 10.89.135.192 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.193;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.194 10.89.135.222;
>> }
>> }
>>
>> # k8s-rke-workload-hx06
>> subnet 10.89.135.224 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.225;
>> option routers 10.89.135.193;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.226 10.89.135.253;
>> }
>> }
>>
>> # Host reservations
>> host tanzuprod-service-control-plane-bbwwb {
>> hardware ethernet 00:50:56:8b:71:bf;
>> fixed-address 10.89.135.48;
>> }
>> <snip>
>> host tanzuprod-workload-control-plane-zvm6t {
>> hardware ethernet 00:50:56:8b:75:83;
>> fixed-address 10.89.135.50;
>> }
>>
>> # DV Presales Lab
>> zone ps.labs.local. {
>> primary 10.89.100.152;
>> key pslabslocal;
>> } # option definitions common to all supported networks...
>> option domain-name "ps.labs.local";
>> option domain-search "ps.labs.local";
>> option domain-name-servers 10.89.100.152, 10.89.100.153;
>> option time-offset -6;
>> option ntp-servers 10.89.66.1;
>> option time-servers 10.89.66.1;
>> #ddns-domainname "ps.labs.local";
>> default-lease-time 600;
>> max-lease-time 7200;
>>
>> # Failover declaration
>> failover peer "dhcpfailover" {
>> secondary; # secondary server declaration
>> address 10.89.100.153;
>> port 647;
>> peer address 10.89.100.152;
>> peer port 647;
>> max-response-delay 60;
>> max-unacked-updates 10;
>> load balance max seconds 3;
>> }
>>
>> key pslabslocal {
>> secret cHNsYWJzbG9jYWw=;
>> algorithm hmac-md5;
>> }
>>
>> # The ddns-updates-style parameter controls whether or not the server
>> will
>> # attempt to do a DNS update when a lease is confirmed. We default to
>> the
>> # behavior of the version 2 packages ('none', since DHCP v2 didn't
>> # have support for DDNS.)
>> ddns-update-style standard;
>>
>> # If this DHCP server is the official DHCP server for the local
>> # network, the authoritative directive should be uncommented.
>> authoritative;
>>
>> # Use this to send dhcp log messages to a different log file (you also
>> # have to hack syslog.conf to complete the redirection).
>> #log-facility local7;
>>
>> # No service will be given on this subnet, but declaring it helps the
>> # DHCP server to understand the network topology. This is for local
>> NIC listening to dhcp broadcasts.
>> subnet 10.89.100.0 netmask 255.255.255.0 {
>> }
>>
>> # ps_labs_local_infrastructure
>> subnet 10.89.128.0 netmask 255.255.255.0 {
>> }
>>
>> # hx06 dynamic
>> subnet 10.89.130.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.130.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.130.10 10.89.130.254;
>> }
>> }
>>
>> # hx07 dynamic
>> subnet 10.89.132.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.132.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.132.10 10.89.132.254;
>> }
>> }
>>
>> # UCSX dynamic
>> subnet 10.89.134.0 netmask 255.255.255.0 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.134.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.134.10 10.89.134.254;
>> }
>> }
>>
>> # The following three network are for Tanzu work in hx06
>> # Update 20221004 by JW. Data is all static as is mgmt. Workload is
>> all DHCP
>> # subnet 10.89.135.0 netmask 255.255.255.224
>>
>> # k8s-tz-data-hx06 dynamic
>> subnet 10.89.135.0 netmask 255.255.255.224 {
>> ddns-updates on;
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.1;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.2 10.89.135.30;
>> }
>> }
>>
>> # k8s-tz-workload-hx06 dynamic
>> subnet 10.89.135.32 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.33;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.34 10.89.135.63;
>> }
>> }
>>
>> # k8s-tz-mgmt-hx06 dynamic
>> subnet 10.89.135.64 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.65;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.66 10.89.135.94;
>> }
>> }
>>
>> # k8s-ocp-data-hx06
>> subnet 10.89.135.96 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.97;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.98 10.89.135.126;
>> }
>> }
>>
>> # k8s-ocp-workload-hx06
>> subnet 10.89.135.128 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.129;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.130 10.89.135.158;
>> }
>> }
>>
>> # k8s-rke-mgmt-hx06
>> subnet 10.89.135.160 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.161;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.162 10.89.135.190;
>> }
>> }
>>
>> # k8s-rke-data-hx06
>> subnet 10.89.135.192 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.152;
>> option routers 10.89.135.193;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.194 10.89.135.222;
>> }
>> }
>>
>> # k8s-rke-workload-hx06
>> subnet 10.89.135.224 netmask 255.255.255.224 {
>> option domain-name-servers 10.89.100.225;
>> option routers 10.89.135.193;
>> pool {
>> failover peer "dhcpfailover";
>> range 10.89.135.226 10.89.135.253;
>> }
>> }
>>
>> # Host reservations
>> host tanzuprod-service-control-plane-bbwwb {
>> hardware ethernet 00:50:56:8b:71:bf;
>> fixed-address 10.89.135.48;
>> }
>> <snip>
>> host tanzuprod-workload-control-plane-zvm6t {
>> hardware ethernet 00:50:56:8b:75:83;
>> fixed-address 10.89.135.50;
>> }
>>
>> # DV Presales Lab
>> zone ps.labs.local. {
>> primary 10.89.100.152;
>> key pslabslocal;
>> }
>> dnsuser at ps-dns-02:~$
>>
>> DDNS
>>
>> cat /etc/bind/named.conf
>>
>> ps-dns-01
>> ps-dns-02
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> server 10.89.9.10 {
>> };
>> server 10.89.9.107 {
>> };
>> key pslabslocal {
>> algorithm hmac-md5;
>> secret "c<snip>w=";
>> }; include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> key pslabslocal {
>> algorithm hmac-md5;
>> secret "c<snip>w=";
>> };
>> server 10.89.100.153 {
>> transfer-format many-answers;
>> keys {
>> pslabslocal;
>> };
>> };
>>
>> " /etc/bind/named.conf.options"
>> listen-on-v6 { any; };
>> forwarders {
>> 10.89.9.10;
>> 10.89.9.107;
>> };
>> recursion yes;
>> allow-query {
>> any;
>> };
>> allow-recursion {
>> any;
>> };
>> };
>> "/etc/bind/named.conf.options"
>> options {
>> directory "/var/cache/bind";
>>
>> listen-on-v6 { any; };
>> };
>>
>> "/etc/bind/named.conf.local"
>> zone "ps.labs.local" {
>> type master;
>> file "/var/lib/bind/ps.labs.local.hosts";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>> zone "128.89.10.in-addr.arpa" {
>> type master;
>> file "/var/lib/bind/10.89.128.rev";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>> zone "129.89.10.in-addr.arpa" {
>> type master;
>> file "/var/lib/bind/10.89.129.rev";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> }; <snip other zones but all structured same>
>> "/etc/bind/named.conf.local"
>> zone "130.89.10.in-addr.arpa" {
>> type slave;
>> masters {
>> 10.89.100.152;
>> };
>> allow-transfer {
>> 10.89.100.152;
>> };
>> file "/var/lib/bind/10.89.130.rev";
>> };
>> zone "ps.labs.local" {
>> type slave;
>> masters {
>> 10.89.100.152;
>> };
>> allow-transfer {
>> 10.89.100.152;
>> };
>> file "/var/lib/bind/ps.labs.local.hosts";
>> };
>> zone "128.89.10.in-addr.arpa" {
>> type slave;
>> masters {
>> 10.89.100.152;
>> };
>> allow-transfer {
>> 10.89.100.152;
>> };
>> file "/var/lib/bind/10.89.128.rev";
>> };
>> <snip other zones but all structured same>
>>
>> "/etc/bind/named.conf.default-zones"
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/usr/share/dns/root.hints";
>> };
>>
>> // be authoritative for the localhost forward and reverse zones, and
>> for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> also-notify {
>> 10.89.100.153;
>> };
>> allow-transfer {
>> 10.89.100.153;
>> };
>> };
>>
>> "/etc/bind/named.conf.default-zones"
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/usr/share/dns/root.hints";
>> };
>>
>> // be authoritative for the localhost forward and reverse zones, and
>> for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> Questions:
>>
>> * What is missconfigured to get flood of events about DHCP cache?
>> * Why are not DHCP leases pushing updates to DNS to create recoreds (A
>> and PTR)
>> * I see almost no logs as I boot up test Vm. and get lease.. as to
>> attempts to create from DHCP to DNS .. Where are the logs for these
>> to track down DDNS communication.
>> * DNS server on replica is not a flat file but a binary hash replica.
>> In event of failover (Ex: ps-dns-01) goes offline..) , how would DHCP
>> push via DDNS update records of server?
>>
>> Thanks,
>>
>> Penguinpages
> ough. html messages, specially long ones - not good recipe for mailing
> lists.
> I'll not offer any turn-key-ready fixes for your issues but perhaps, I
> can share some ideas..
>
> also a question - how do you keep your dns servers in sync? These are
> flat-file backends right? Do you do any dynamic-a/sync with them DNSes?
> If you do....
> I'd suggest - perhaps as others did/do - to use a bit more
> comprehensive systems for domain(+a lot more) management - I don't know
> if they have it over at Ubuntu/Canonical but, I'd recommend freeIPA -
> that is perhaps much steeper learning curve but once sussed out, will
> do a plethora of things for you.
>
> On DHCP - I'd, as I usually do, run only one dhcp daemon/service for a
> given(topologically) sub/net. Have it set up & ready on multiple nodes
> but run only ! one at any times, with help of, managed by some simple
> outside of dhcpd, solution / something like NM's dispatcher can do in
> some cases. Here you should have only one file to keep in sync - dhcpd
> config - between the nodes.
>
> Glancing through your configs - seems that you have set your 'keys' but
> are those not missing in/for DNS ? - which dns also must allow specific
> zones to be updated, or not, via use of 'update-policy'.
> eg.
> ...
> zone "direct" IN {
> auto-dnssec maintain;
> key-directory "myzones";
> allow-query { localhost; private.pawel; };
> #allow-update { key dhcpd; key nsupdate_key; };
> update-policy {
> #grant dhcpd subdomain *.direct A CNAME TXT;
> #grant nsupdate_key subdomain *.direct SOA NS A CNAME TXT;
> grant dhcpd wildcard *.direct A CNAME TXT;
> grant nsupdate_key wildcard *.direct A CNAME TXT;
> };
> # below line would be for a slave/stub secondary server
> allow-transfer { localbox; 10.3.1.220; };
> type master;
> file "myzones/direct.signed";
> };
> ...
> but again,
>
> And probably best advice ever(for now) - unless you knew this already
> but had no choice - even numbers, when it comes to computer systems,
> are not your friends.
>
> bw. L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20230517/c503f68c/attachment-0001.htm>
More information about the dhcp-users
mailing list