[Kea-users] Kea DDNS - Forward Updates work, but reverse do not?
Ubence Quevedo (thatrat)
thatrat at gmail.com
Sun Jan 28 21:32:30 UTC 2024
Thanks for the comments.
That's just it though, the reverse record doesn't currently exist.
What I'm going to do is delete all of the reverse records that dhcpd created, and see how things behave on update.
I’ll let that run for a bit and see if that might have been it.
-Ubence
> On Jan 28, 2024, at 1:02 PM, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>
>
> Thanks
>
> Sten
>
>> On 28 Jan 2024, at 20.23, Rick Frey <gribnut at gmail.com> wrote:
>>
>> I’ve not used/tested, but I overlooked Kea DDNS server option "ddns-use-conflict-resolution” that may allow you to overwrite DNS records that don’t match DHCID. Default is true (doesn't overwrite if DHCID doesn’t match). You might be able to set to false to allow Kea to overwrite non-matching forward and reverse records. Would be safer to manually delete the conflict and leave at default behavior if you don’t want Kea to blindly write over any records not added/updated by Kea in your DNS zones.
>>
>>
>>
>> See https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#dhcp4-ddns-config
>>
>>
>>> On Jan 28, 2024, at 12:51, Ubence Quevedo (thatrat) <thatrat at gmail.com> wrote:
>>>
>>> Thanks for the response, I took a look at the ddns log file I have setup on my bind 9 server and found the following:
>>> 27-Jan-2024 15:55:15.083 update: info: client @0xffff7c339b18 192.168.10.3#50944/key ddns-key: updating zone 'totusmel.com/IN': deleting an RR at lg-washer.totusmel.com A
>>> 27-Jan-2024 15:55:15.123 update: info: client @0xffff6c2c4228 192.168.10.3#56549/key ddns-key: updating zone 'totusmel.com/IN': delete all rrsets from name 'lg-washer.totusmel.com'
>>> 27-Jan-2024 15:55:15.143 update: info: client @0xffff702ec848 192.168.10.3#34817/key ddns-key: updating zone '10.168.192.in-addr.arpa/IN': update unsuccessful: 74.10.168.192.in-addr.arpa/PTR: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
>
> My guess is that this RR was left by the now removed DHCPD. Dhcpd leaves also a TXT record with a value that allows it to verify that it did create this record and if this record is not present or has a different value, it will not touch that RR, I guess that KEA makes that record calculation somewhat different than dhcpd does so the two will not remove the other system's RRs.
>
>>>
>>> It seems to be the same output as journalctl but through bind’s terminology.
>>>
>>> I’m pretty sure the forward zone is getting updated properly since there’s a .jnl file and the serial number in the zone file is incrementing.
>>>
>>> For some reason, the below section got stripped out in the response:
>>> The relevant section from the kea-dhcp4.conf:
>>> "dhcp-ddns": {
>>> "enable-updates": true
>>> }
>>> "ddns-qualifying-suffix": "totusmel.com <http://totusmel.com/>",
>>> "ddns-override-client-update": true,
>>>
>>> Do I also need to add reverse zone 10.168.192.in-addr.arpa to the kea-dhcp4.conf?
>>>
>>> Any other thoughts or comments on this would be appreciated!
>>>
>>> -Ubence
>>>
>>>> On Jan 28, 2024, at 10:11 AM, Rick Frey <gribnut at gmail.com> wrote:
>>>>
>>>> The DNS response of RCODE 5 by your nameserver indicates the submitted DDNS update was refused by the nameserver. May want to check your nameserver logs for cause. Guessing it is not allowing your TSIG key used by Kea to make updates to the 10.168.192.in-addr.arpa zone.
>>>> BIND will not create a .jnl file until the first successful dynamic update (from any DDNS client). Assuming this is a new BIND server as well since the jnl file for your reverse zone does not yet exist.
>>>>
>>>>> On Jan 28, 2024, at 05:37, Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I’ve recently converted from the older ISC dhcpd with dynamic DNS configured and working properly with updating forward and reverse entries, but after converting to Kea, I can only get the forward entries to work and the reverse entries do not update.
>>>>>
>>>>> This is a raspberry pi 4b running Ubuntu 22.04 LTS with Kea 2.0.2. I can’t run the latest version since this is an arm system.
>>>>>
>>>>> From what I can tell, things *look* correct, but when I do a journalctl -xeu kea-dhcp-ddns-server, in the below snippet, I get the following:
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: INFO DHCP_DDNS_REMOVE_SUCCEEDED DHCP_DDNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: successfully removed the DNS mapping addition for this request: Type: 1 (CHG_REMOVE)
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Forward Change: yes
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Reverse Change: yes
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: FQDN: [lg-washer.totusmel.com.]
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: IP Address: [192.168.10.74]
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: DHCID: [000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979]
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Lease Expires On: 20240127223510
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Lease Length: 2400
>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Conflict Resolution: yes
>>>>> Jan 27 16:28:37 raspi kea-dhcp-ddns[1542846]: ERROR DHCP_DDNS_REVERSE_REPLACE_REJECTED DNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: Server, 192.168.10.3 port:53, rejected a DNS update request to replace the reverse mapping for FQDN, lg-washer.totusmel.com., with an RCODE: 5
>>>>> Jan 27 16:28:37 raspi kea-dhcp-ddns[1542846]: ERROR DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: Transaction outcome Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: completed, Reverse change: failed, request: Type: 0 (CHG_ADD)
>>>>>
>>>>> The error entry shows a failure while the first and second entries show success.
>>>>>
>>>>> I’m a bit baffled because in the kea-dhcp-ddns.conf, the forward and reverse are configured nearly the same and reference the same key to allow updates:
>>>>> "DhcpDdns":
>>>>> {
>>>>> "ip-address": "127.0.0.1",
>>>>> "port": 53001,
>>>>> "control-socket": {
>>>>> "socket-type": "unix",
>>>>> "socket-name": "/tmp/kea-ddns-ctrl-socket"
>>>>> },
>>>>>
>>>>> <?include "/etc/kea/tsig-keys.json"?>
>>>>>
>>>>> "forward-ddns" : {
>>>>> "ddns-domains": [
>>>>> {
>>>>> "name": "totusmel.com <http://totusmel.com/>.",
>>>>> "key-name": "ddns-key",
>>>>> "dns-servers": [
>>>>> {
>>>>> "ip-address": "192.168.10.3",
>>>>> "port": 53
>>>>> }
>>>>> ]
>>>>> }
>>>>> ]
>>>>> },
>>>>>
>>>>> "reverse-ddns" : {
>>>>> "ddns-domains": [
>>>>> {
>>>>> "name": "10.168.192.in-addr.arpa.",
>>>>> "key-name": "ddns-key",
>>>>> "dns-servers": [
>>>>> {
>>>>> "ip-address": "192.168.10.3",
>>>>> "port": 53
>>>>> }
>>>>> ]
>>>>> }
>>>>> ]
>>>>> }
>>>>>
>>>>>
>>>>> I’m also expecting there to be a .jnl file for the zone file in /var/lib/bind/ where the zone files reside, but the .jnl file I’m expecting never gets generated:
>>>>> root at raspi:/var/lib/bind# ls -la db*
>>>>> -rw-r--r-- 1 bind bind 6169 Jan 27 16:37 db.10.168.192.in-addr.arpa
>>>>> -rw-r--r-- 1 bind bind 295 Nov 6 2022 db.20.168.192.in-addr.arpa
>>>>> -rw-r--r-- 1 bind bind 347 Nov 6 2022 db.30.168.192.in-addr.arpa
>>>>> -rw-r--r-- 1 bind bind 278 Nov 6 2022 db.40.168.192.in-addr.arpa
>>>>> -rw-r--r-- 1 bind bind 276 Nov 6 2022 db.50.168.192.in-addr.arpa
>>>>> -rw-r--r-- 1 bind bind 1082 Jan 25 20:08 db.lab.totusmel.com
>>>>> -rw-r--r-- 1 bind bind 1372 Jan 25 19:56 db.lab.totusmel.com.jnl
>>>>> -rw-r--r-- 1 bind bind 22676 Jan 28 02:41 db.totusmel.com
>>>>> -rw-r--r-- 1 bind bind 3872 Jan 28 02:28 db.totusmel.com.jnl
>>>>>
>>>>> Does anyone have any thoughts or suggestions on what might be wrong? I can provide more information if needed, I just included the bits that I thought were relevant.
>>>>>
>>>>> Any thoughts or suggestions would be greatly appreciated!
>>>>>
>>>>> -Ubence
>>>>>
>>>>> --
>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>
>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>
>>>>> Kea-users mailing list
>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>
>>>> --
>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>
>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>
>>>> Kea-users mailing list
>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>
>>> --
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>
>>> Kea-users mailing list
>>> Kea-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/kea-users
>>
>> --
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>
>> Kea-users mailing list
>> Kea-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/kea-users
>
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240128/cb637164/attachment-0001.htm>
More information about the Kea-users
mailing list