[Kea-users] Kea DDNS - Forward Updates work, but reverse do not?
Ubence Quevedo (thatrat)
thatrat at gmail.com
Mon Jan 29 13:51:02 UTC 2024
Yes, I think that might be the case.
I did change it to be just PTR DHCID instead of just ANY [didn’t want to leave it too open].
So far, it seems to be working as the leases expire or systems are accessed, it’s triggering the whole process properly like how I’m expecting.
It’ll gradually stabilize by filling in all of the missing hostnames.
Anyone know how to just terminate all of the leases from the server and force the clients to check back in? That would be ideal to get everything re-populated quickly.
-Ubence
> On Jan 29, 2024, at 5:46 AM, Bob Harold <rharolde at umich.edu> wrote:
>
>
>
> On Sun, Jan 28, 2024 at 10:42 PM Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>> So, I think the ANY in the update policy worked in the reverse zone?
>>
>> I’m not getting errors any longer and the zone file is getting populated with records similar to how the main zone is.
>>
>> Previously in the reverse zone with how things were configured, there weren’t and DHCID records, but there are now.
>>
>> I still find it bizarre that it worked perfectly with PTR before but only seems to work with ANY in the zone update-policy definition.
>>
>> -Ubence
>
> I have not tried Kia, so this is all speculation, but since Kia was a complete rewrite, the new author might have made different assumptions. DHCPD might have assumed that "PTR" permissions included the extra "TXT" record for the DHCID, but Kia might not have assumed that, and needs "ANY" (or PTR plus TXT somehow?) to write the TXT record?
>
> --
> Bob Harold
>
>>
>>> On Jan 28, 2024, at 6:51 PM, Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>>>
>>> I decided to freeze the main zone and purge out any of the dhcp created host entries and let things repopulate again to see if the host record needed to be generated from Kea in order to properly create the reverse zone records. It was also a great opportunity to prune out old host records that no longer exist.
>>>
>>> I also changed the 10.168.192.in-address.arpa zone update-policy type from PTR to ANY in hopes that might change something.
>>>
>>> Below is the config for both the forward lookup zone and reverse in my bind config:
>>> zone "totusmel.com <http://totusmel.com/>" {
>>> type master;
>>> forwarders {};
>>> file "/var/lib/bind/db.totusmel.com <http://db.totusmel.com/>";
>>> update-policy {
>>> grant ddns-key wildcard *.totusmel.com <http://totusmel.com/> A DHCID;
>>> };
>>> notify yes;
>>> allow-transfer { 192.168.10.173; };
>>> zone-statistics yes;
>>> };
>>>
>>> zone "10.168.192.in-addr.arpa" {
>>> type master;
>>> forwarders {};
>>> file "/var/lib/bind/db.10.168.192.in-addr.arpa";
>>> update-policy {
>>> grant ddns-key wildcard *.10.168.192.in-addr.arpa ANY;
>>> };
>>> zone-statistics yes;
>>> };
>>>
>>> What baffles me is that this worked perfectly with dhcpd. Both zones dynamically updated and had .jnl files to write the dynamic changes to into the zone file periodically.
>>>
>>> I thought maybe this might be because this is with Kea 2.0.2 on this arm Ubuntu system, but I’m running into the same problem on another system I have that is running Kea 2.4.1, so it’s got to be some type of configuration problem that’s causing things.
>>>
>>> I’m going to let things run and see if these changes have made any difference.
>>>
>>> Is anyone else doing the ddns updates with bind similar to like how I’m doing? Is it working properly for you?
>>>
>>> I can provide more of my Kea and bind configs if that might help narrow things down.
>>>
>>> -Ubence
>>>
>>>
>>>> On Jan 28, 2024, at 1:32 PM, Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>>>>
>>>> Thanks for the comments.
>>>>
>>>> That's just it though, the reverse record doesn't currently exist.
>>>>
>>>> What I'm going to do is delete all of the reverse records that dhcpd created, and see how things behave on update.
>>>>
>>>> I’ll let that run for a bit and see if that might have been it.
>>>>
>>>> -Ubence
>>>>
>>>>> On Jan 28, 2024, at 1:02 PM, Sten Carlsen <stenc at s-carlsen.dk <mailto:stenc at s-carlsen.dk>> wrote:
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Sten
>>>>>
>>>>>> On 28 Jan 2024, at 20.23, Rick Frey <gribnut at gmail.com <mailto:gribnut at gmail.com>> wrote:
>>>>>>
>>>>>> I’ve not used/tested, but I overlooked Kea DDNS server option "ddns-use-conflict-resolution” that may allow you to overwrite DNS records that don’t match DHCID. Default is true (doesn't overwrite if DHCID doesn’t match). You might be able to set to false to allow Kea to overwrite non-matching forward and reverse records. Would be safer to manually delete the conflict and leave at default behavior if you don’t want Kea to blindly write over any records not added/updated by Kea in your DNS zones.
>>>>>>
>>>>>>
>>>>>>
>>>>>> See https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#dhcp4-ddns-config
>>>>>>
>>>>>>
>>>>>>> On Jan 28, 2024, at 12:51, Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>>>>>>>
>>>>>>> Thanks for the response, I took a look at the ddns log file I have setup on my bind 9 server and found the following:
>>>>>>> 27-Jan-2024 15:55:15.083 update: info: client @0xffff7c339b18 192.168.10.3#50944/key ddns-key: updating zone 'totusmel.com/IN <http://totusmel.com/IN>': deleting an RR at lg-washer.totusmel.com <http://lg-washer.totusmel.com/> A
>>>>>>> 27-Jan-2024 15:55:15.123 update: info: client @0xffff6c2c4228 192.168.10.3#56549/key ddns-key: updating zone 'totusmel.com/IN <http://totusmel.com/IN>': delete all rrsets from name 'lg-washer.totusmel.com <http://lg-washer.totusmel.com/>'
>>>>>>> 27-Jan-2024 15:55:15.143 update: info: client @0xffff702ec848 192.168.10.3#34817/key ddns-key: updating zone '10.168.192.in-addr.arpa/IN': update unsuccessful: 74.10.168.192.in-addr.arpa/PTR: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
>>>>>
>>>>> My guess is that this RR was left by the now removed DHCPD. Dhcpd leaves also a TXT record with a value that allows it to verify that it did create this record and if this record is not present or has a different value, it will not touch that RR, I guess that KEA makes that record calculation somewhat different than dhcpd does so the two will not remove the other system's RRs.
>>>>>
>>>>>>>
>>>>>>> It seems to be the same output as journalctl but through bind’s terminology.
>>>>>>>
>>>>>>> I’m pretty sure the forward zone is getting updated properly since there’s a .jnl file and the serial number in the zone file is incrementing.
>>>>>>>
>>>>>>> For some reason, the below section got stripped out in the response:
>>>>>>> The relevant section from the kea-dhcp4.conf:
>>>>>>> "dhcp-ddns": {
>>>>>>> "enable-updates": true
>>>>>>> }
>>>>>>> "ddns-qualifying-suffix": "totusmel.com <http://totusmel.com/>",
>>>>>>> "ddns-override-client-update": true,
>>>>>>>
>>>>>>> Do I also need to add reverse zone 10.168.192.in-addr.arpa to the kea-dhcp4.conf?
>>>>>>>
>>>>>>> Any other thoughts or comments on this would be appreciated!
>>>>>>>
>>>>>>> -Ubence
>>>>>>>
>>>>>>>> On Jan 28, 2024, at 10:11 AM, Rick Frey <gribnut at gmail.com <mailto:gribnut at gmail.com>> wrote:
>>>>>>>>
>>>>>>>> The DNS response of RCODE 5 by your nameserver indicates the submitted DDNS update was refused by the nameserver. May want to check your nameserver logs for cause. Guessing it is not allowing your TSIG key used by Kea to make updates to the 10.168.192.in-addr.arpa zone.
>>>>>>>> BIND will not create a .jnl file until the first successful dynamic update (from any DDNS client). Assuming this is a new BIND server as well since the jnl file for your reverse zone does not yet exist.
>>>>>>>>
>>>>>>>>> On Jan 28, 2024, at 05:37, Ubence Quevedo (thatrat) <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>>>>>>>>>
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I’ve recently converted from the older ISC dhcpd with dynamic DNS configured and working properly with updating forward and reverse entries, but after converting to Kea, I can only get the forward entries to work and the reverse entries do not update.
>>>>>>>>>
>>>>>>>>> This is a raspberry pi 4b running Ubuntu 22.04 LTS with Kea 2.0.2. I can’t run the latest version since this is an arm system.
>>>>>>>>>
>>>>>>>>> From what I can tell, things *look* correct, but when I do a journalctl -xeu kea-dhcp-ddns-server, in the below snippet, I get the following:
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: INFO DHCP_DDNS_REMOVE_SUCCEEDED DHCP_DDNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: successfully removed the DNS mapping addition for this request: Type: 1 (CHG_REMOVE)
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Forward Change: yes
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Reverse Change: yes
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: FQDN: [lg-washer.totusmel.com <http://lg-washer.totusmel.com/>.]
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: IP Address: [192.168.10.74]
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: DHCID: [000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979]
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Lease Expires On: 20240127223510
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Lease Length: 2400
>>>>>>>>> Jan 27 15:55:15 raspi kea-dhcp-ddns[1542846]: Conflict Resolution: yes
>>>>>>>>> Jan 27 16:28:37 raspi kea-dhcp-ddns[1542846]: ERROR DHCP_DDNS_REVERSE_REPLACE_REJECTED DNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: Server, 192.168.10.3 port:53, rejected a DNS update request to replace the reverse mapping for FQDN, lg-washer.totusmel.com <http://lg-washer.totusmel.com/>., with an RCODE: 5
>>>>>>>>> Jan 27 16:28:37 raspi kea-dhcp-ddns[1542846]: ERROR DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 000001F16C84BB0E8343A9B37FA2789333DAFE841ED32B93F538FC22A0F905170D2979: Transaction outcome Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: completed, Reverse change: failed, request: Type: 0 (CHG_ADD)
>>>>>>>>>
>>>>>>>>> The error entry shows a failure while the first and second entries show success.
>>>>>>>>>
>>>>>>>>> I’m a bit baffled because in the kea-dhcp-ddns.conf, the forward and reverse are configured nearly the same and reference the same key to allow updates:
>>>>>>>>> "DhcpDdns":
>>>>>>>>> {
>>>>>>>>> "ip-address": "127.0.0.1",
>>>>>>>>> "port": 53001,
>>>>>>>>> "control-socket": {
>>>>>>>>> "socket-type": "unix",
>>>>>>>>> "socket-name": "/tmp/kea-ddns-ctrl-socket"
>>>>>>>>> },
>>>>>>>>>
>>>>>>>>> <?include "/etc/kea/tsig-keys.json"?>
>>>>>>>>>
>>>>>>>>> "forward-ddns" : {
>>>>>>>>> "ddns-domains": [
>>>>>>>>> {
>>>>>>>>> "name": "totusmel.com <http://totusmel.com/>.",
>>>>>>>>> "key-name": "ddns-key",
>>>>>>>>> "dns-servers": [
>>>>>>>>> {
>>>>>>>>> "ip-address": "192.168.10.3",
>>>>>>>>> "port": 53
>>>>>>>>> }
>>>>>>>>> ]
>>>>>>>>> }
>>>>>>>>> ]
>>>>>>>>> },
>>>>>>>>>
>>>>>>>>> "reverse-ddns" : {
>>>>>>>>> "ddns-domains": [
>>>>>>>>> {
>>>>>>>>> "name": "10.168.192.in-addr.arpa.",
>>>>>>>>> "key-name": "ddns-key",
>>>>>>>>> "dns-servers": [
>>>>>>>>> {
>>>>>>>>> "ip-address": "192.168.10.3",
>>>>>>>>> "port": 53
>>>>>>>>> }
>>>>>>>>> ]
>>>>>>>>> }
>>>>>>>>> ]
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I’m also expecting there to be a .jnl file for the zone file in /var/lib/bind/ where the zone files reside, but the .jnl file I’m expecting never gets generated:
>>>>>>>>> root at raspi:/var/lib/bind# ls -la db*
>>>>>>>>> -rw-r--r-- 1 bind bind 6169 Jan 27 16:37 db.10.168.192.in-addr.arpa
>>>>>>>>> -rw-r--r-- 1 bind bind 295 Nov 6 2022 db.20.168.192.in-addr.arpa
>>>>>>>>> -rw-r--r-- 1 bind bind 347 Nov 6 2022 db.30.168.192.in-addr.arpa
>>>>>>>>> -rw-r--r-- 1 bind bind 278 Nov 6 2022 db.40.168.192.in-addr.arpa
>>>>>>>>> -rw-r--r-- 1 bind bind 276 Nov 6 2022 db.50.168.192.in-addr.arpa
>>>>>>>>> -rw-r--r-- 1 bind bind 1082 Jan 25 20:08 db.lab.totusmel.com <http://db.lab.totusmel.com/>
>>>>>>>>> -rw-r--r-- 1 bind bind 1372 Jan 25 19:56 db.lab.totusmel.com.jnl
>>>>>>>>> -rw-r--r-- 1 bind bind 22676 Jan 28 02:41 db.totusmel.com <http://db.totusmel.com/>
>>>>>>>>> -rw-r--r-- 1 bind bind 3872 Jan 28 02:28 db.totusmel.com.jnl
>>>>>>>>>
>>>>>>>>> Does anyone have any thoughts or suggestions on what might be wrong? I can provide more information if needed, I just included the bits that I thought were relevant.
>>>>>>>>>
>>>>>>>>> Any thoughts or suggestions would be greatly appreciated!
>>>>>>>>>
>>>>>>>>> -Ubence
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>>>>>
>>>>>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>>>>>
>>>>>>>>> Kea-users mailing list
>>>>>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>>>>>
>>>>>>>> --
>>>>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>>>>
>>>>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>>>>
>>>>>>>> Kea-users mailing list
>>>>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>>>>
>>>>>>> --
>>>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>>>
>>>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>>>
>>>>>>> Kea-users mailing list
>>>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>>>
>>>>>> --
>>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>>
>>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>>
>>>>>> Kea-users mailing list
>>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>>
>>>>> --
>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>
>>>>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>>>>
>>>>> Kea-users mailing list
>>>>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>>>>> https://lists.isc.org/mailman/listinfo/kea-users
>>>>
>>>
>>
>> --
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>
>> Kea-users mailing list
>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/kea-users
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240129/dda3cb62/attachment-0001.htm>
More information about the Kea-users
mailing list