[Kea-users] replacing nsupdate with gss-tsig hook
Olivier Le Monnier
olm at unicaen.fr
Wed Dec 20 10:59:27 UTC 2023
Hi all
We use Kea in production with DDNS and two different DNS servers depending on the network:
- Bind is updated with a TSIG key
- AD DNS is updated with a bash script :
* launched by the 'run script' hook
* on lease commit, release and expire
* only for concerned zones
* using nsupdate with a keytab (kerberos not configured)
We'd like to move to the GSS-TSIG hook so I configured kea-dhcp-ddns reusing the keytab and credentials cache used with nsupdate[1].
First, I wonder if I can still update bind through a simple TSIG key.
Then, I get an undocumented error I don't understand when restarting the service:
————
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: ERROR [kea-dhcp-ddns.callouts.140342135654272] HOOKS_CALLOUT_ERROR error returned by callout on hook d2_srv_configured registered by library with index 1 (callout address 0x7fa3f0593e90) (callout duration 0.064 ms)
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: ERROR [kea-dhcp-ddns.dhcpddns.140342135654272] DHCP_DDNS_CONFIGURED_CALLOUT_DROP configuration was rejected because a callout set the next step to 'drop': gss_tsig config mismatch: server info can't be found
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: FATAL [kea-dhcp-ddns.dctl.140342135654272] DCTL_CONFIG_FILE_LOAD_FAIL DhcpDdns reason: gss_tsig config mismatch: server info can't be found
déc. 20 11:40:26 kea-standby kea-dhcp-ddns[436538]: Service failed: Could Not load configuration file: gss_tsig config mismatch: server info can't be found
And finaly I wonder if any anyone would have done the same king of thing and if I could get help? I can't find my way through the documentation :(
Cheers.
————
[1] /etc/kea/kea-dhcp-ddns.conf:
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea-ddns-ctrl-socket"
},
"tsig-keys": [
{ "name": "DDNS_UPDATE",
"algorithm": "HMAC-SHA256",
"secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
],
"forward-ddns" : {
"ddns-domains": [
{"name": "bind_zone.", "key-name": "DDNS_UPDATE", "dns-servers": [{"ip-address": "10.20.30.40"}]}
{"name": "ad_zone.", "dns-servers": [{"ip-address": "10.50.60.70"}]} // this is new
]
},
"hooks-libraries": [ // and all this is new too
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libddns_gss_tsig.so",
"parameters": {
"server-principal": "DNS/ad_dns.ad_zone.tld at AD_ZONE.TLD",
"client-keytab": "FILE:/etc/kea/dnsupdate.keytab",
"credentials-cache": "FILE:/tmp/dhcp-dyndns.cc",
"fallback": true,
"servers": [
{
"id": "ad_dns",
"ip-address": "10.50.60.70",
"port": 53
}
]
}
}
],
"loggers": […]
}
}
--
Olivier LE MONNIER ⏚
–
Direction du système d'information > Systèmes
UNICAEN | Université de Caen Normandie
–
+33(0) 2 31 56 62 09 (en interne 62 09)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2284 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20231220/7c722c83/attachment.bin>
More information about the Kea-users
mailing list