dynamic update reverse zone?

Alexandre Paradis alexandre at optiksecurite.com
Fri Feb 15 19:33:53 UTC 2008 

Kevin Darcy wrote:
> Alexandre Paradis wrote:
>   
>> Kevin Darcy wrote:
>>     
>>> Alexandre Paradis wrote:
>>>       
>>>> Konigs Carl wrote:
>>>>         
>>>>> Verify write permission of "/etc/namedb/dynamic/revlan.bureau.own"
>>>>> Try nsupdate on your reverse zone, does it work?
>>>>>
>>>>> -----Original Message-----
>>>>> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>>>>> Behalf Of Alexandre Paradis
>>>>> Sent: 13 February 2008 20:40
>>>>> To: bind-users at isc.org
>>>>> Subject: dynamic update reverse zone?
>>>>>
>>>>> Hi, i have some problems with my dynamic update between the DHCP 
>>>>> and DNS. I'm able to update my "normal" zone, but the reverse zone 
>>>>> won't update.
>>>>>
>>>>> here's my dhcpd.conf
>>>>>
>>>>>
>>>>> # dhcpd.conf
>>>>>
>>>>> ddns-hostname = pick (option fqdn.hostname, option host-name, concat
>>>>> ("dhcp-", binary-to-ascii (10, 8, "-", leased-address)));
>>>>> option host-name = config-option server.ddns-hostname;
>>>>>
>>>>> option domain-name "bureau.own";
>>>>> option domain-name-servers 69.69.68.1;
>>>>> default-lease-time 600;
>>>>> max-lease-time 7200;
>>>>> authoritative;
>>>>> #ping-check false;
>>>>> #DDNS
>>>>> ddns-updates on;
>>>>> ddns-update-style interim;
>>>>> ddns-domainname "bureau.own";
>>>>> #ignore client-updates;
>>>>> ddns-ttl 120;
>>>>> ddns-rev-domainname "in-addr.arpa";
>>>>> allow client-updates;
>>>>>
>>>>> subnet 69.69.68.0 netmask 255.255.255.0 {
>>>>> range 69.69.68.100 69.69.68.145;
>>>>> option routers 69.69.68.1;
>>>>> option broadcast-address 69.69.68.255;
>>>>> }
>>>>>
>>>>> key marjo {
>>>>> algorithm HMAC-MD5;
>>>>> secret <mykey>;
>>>>> }
>>>>>
>>>>> zone bureau.own. {
>>>>> primary 69.69.68.1;
>>>>> key marjo;
>>>>> }
>>>>>
>>>>> zone 68.69.69.in-addr-arpa. {
>>>>> primary 69.69.68.1;
>>>>> key marjo;
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> This is my named.conf
>>>>>
>>>>>
>>>>> key marjo {
>>>>> algorithm HMAC-MD5;
>>>>> secret "<mykey>";
>>>>> };
>>>>>
>>>>> #ACL pour les differentes interfaces
>>>>> acl lan { 69.69.68.0/24; 127.0.0.1; };
>>>>> # acl dmz { 1.2.3.4/24; };
>>>>>
>>>>> options {
>>>>> // Relative to the chroot directory, if any
>>>>> directory "/etc/namedb";
>>>>> pid-file "/var/run/named/pid";
>>>>> dump-file "/var/dump/named_dump.db";
>>>>> statistics-file "/var/stats/named.stats";
>>>>> version "haha oh wow!";
>>>>> recursion yes;
>>>>> allow-recursion {69.69.68.0/24; 127.0.0.1; };
>>>>> listen-on { 127.0.0.1; 69.69.68.1; };
>>>>> allow-query { lan; };
>>>>> forwarders {69.69.69.1; };
>>>>> };
>>>>> controls {
>>>>> inet 127.0.0.1 port 953
>>>>> allow { 127.0.0.1; 69.69.68.1; } keys { "marjo";};
>>>>> };
>>>>>
>>>>> view lan {
>>>>>
>>>>> zone "." {
>>>>> type hint;
>>>>> file "named.root";
>>>>> };
>>>>>
>>>>> match-clients {lan; };
>>>>>
>>>>> zone "bureau.own"{
>>>>> type master;
>>>>> notify no;
>>>>> file "/etc/namedb/dynamic/lan.bureau.own";
>>>>> //allow-transfer {127.0.0.1; };
>>>>> allow-update { key marjo; };
>>>>> };
>>>>>
>>>>> zone "68.69.69.in-addr.arpa" {
>>>>> type master;
>>>>> notify no;
>>>>> file "/etc/namedb/dynamic/revlan.bureau.own";
>>>>> //allow-transfer {127.0.0.1; };
>>>>> allow-update { key marjo; };
>>>>> };
>>>>>
>>>>> };
>>>>>
>>>>>
>>>>> i tried with dhclient.conf on the client side with
>>>>>
>>>>> interface "xl0" {
>>>>> send host-name "alexBSD";
>>>>> }
>>>>>
>>>>> it changed nothing.
>>>>>
>>>>> any idea?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ***************************************************************
>>>>> Your E-mail has been scanned against Potential Virus and
>>>>> Spyware/Grayware
>>>>> dangers by the MOD BE SECURITY SYSTEMS.
>>>>>
>>>>> This e-mail and any attachments may contain confidential and
>>>>> privileged information. If you are not the intended recipient,
>>>>> please notify the sender immediately by return e-mail,
>>>>> delete this e-mail and destroy any copies.
>>>>> Any dissemination or use of this information by a person other
>>>>> than the intended recipient is unauthorized and may be illegal.
>>>>>
>>>>>
>>>>>
>>>>>           
>>>> no, it didn't work. i've checked my permission, and they are ok now
>>>> also, there is no .jnl file for my reverse zone
>>>>         
>>> You say the nsupdate didn't work. Were you using the "marjo" TSIG 
>>> key? What kind of failure did you get (NOTAUTH, REFUSED, BADKEY, 
>>> something else)? You need to provide more detail on each 
>>> troubleshooting step if you want a speedy resolution to this problem.
>>>
>>> Also, is there anything in the log about problems with the reverse 
>>> zone when you start or reload named?
>>>
>>> - Kevin
>>>
>>>
>>>       
>> when i try to do a manual update with nsupdate, the error is "BADKEY" 
>> but i looked again and again all my key, and everything seems to be ok
>>
>> now i have this error in my log :
>>
>> Feb 15 10:06:33 marjo dhcpd: icmp_echorequest 69.69.68.140: Operation 
>> not permitted
>> Feb 15 10:06:36 marjo named[71266]: client 69.69.68.1#52856: update 
>> '68.69.69.in-addr.arpa/IN' denied
>> Feb 15 10:06:36 marjo dhcpd: unable to add reverse map from 
>> 140.68.69.69.in-addr.arpa to alexBSD.bureau.own: timed out
>>
>> i took the public key instead of the private key in the dhcp and bind 
>> conf
>>     
> TSIG uses shared-key crypto; there is no "public" and "private".
>
> What is alexBSD.bureau.own? I'm assuming that's what's in the SOA.MNAME 
> for 68.69.69.in-addr.arpa. Looks like your DHCP server can't talk to it.
>
> - Kevin
>
>
>   
i found the problem.

in my dhcpd.conf , i have :

ddns-rev-domainname "in-addr.arpa";

and:

zone 68.69.69.in-addr-arpa. {

i mistyped in-addr.arpa with a "-"

thank you all for your help!

More information about the bind-users mailing list