Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.
Jim Bucks
jbucks at coloradostudios.com
Fri Mar 29 12:19:27 UTC 2013
After working on this some more overnight.....
I can add records interactively via nsupdate (as shown below). But, cannot
get the same results from an ipconfig /release & /renew from a
workstation. I am totally stumped at this point.
Any ideas (and yes, I did do over the "semicomplete" URL provided by
?Alex?"). The only difference I can see is that I used a 512 bit key vs
the examples 128bit key. And, I'm using a slaves/ directory vs internal/
directory for the "zones" files.
Jim
INTERACTIVE WORKS
------------------------------------
[root at dns04 chroot]# nsupdate
> server 127.0.0.1
> key DHCP_UPDATER
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
proccilap.dhcp.coloradostudios.com.
>
> update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
>
>
[root at dns04 slaves]# ll
total 24
-rw-r--r-- 1 named named 400 Mar 28 15:08 db.172.10.20
-rw-r--r-- 1 named named 792 Mar 29 05:54 db.172.10.20.jnl
-rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rwxrwx--- 1 named named 362 Mar 28 13:41 db.dhcp.coloradostudios.com
-rw-r--r-- 1 named named 782 Mar 29 05:56 db.dhcp.coloradostudios.com.jnl
[root at dns04 slaves]#
[root at dns04 chroot]# rndc freeze
[root at dns04 chroot]# rndc thaw
[root at dns04 slaves]# ll
total 16
-rw-r--r-- 1 named named 433 Mar 29 05:58 db.172.10.20
-rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rw-r--r-- 1 named named 381 Mar 29 05:58 db.dhcp.coloradostudios.com
[root at dns04 slaves]#
[root at dns04 slaves]# cat db.172.10.20
$ORIGIN .
$TTL 86400 ; 1 day
20.10.172.in-addr.arpa IN SOA dns04.coloradostudios.com. sysmgr.hd.net.
(
2013032605 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns04.den.coloradostudios.com.
$ORIGIN 20.10.172.in-addr.arpa.
$TTL 3600 ; 1 hour
101 PTR proccilap.dhcp.coloradostudios.com.
[root at dns04 slaves]# cat db.dhcp.coloradostudios.com
$ORIGIN .
$TTL 86400 ; 1 day
dhcp.coloradostudios.com IN SOA dns04.coloradostudios.com. sysmgr.axs.tv.
(
2013032804 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns04.coloradostudios.com.
$ORIGIN dhcp.coloradostudios.com.
proccilap A 171.10.20.101
[root at dns04 slaves]#
IPCONFIG /RELEASE & /RENEW DOES NOT WORK
--------------------------------------------------------------------------------
Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via eth1
Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5)
from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49
(proccilapxp) via eth1
On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks <jbucks at coloradostudios.com>wrote:
> Hi Jim,
>
> Shouldn't there be quotes around the key string in the named .conf file?
> I have quotes around mine in named.conf. I do not have quotes around the
> key string in the dhcpd.conf.
>
> If this is correct, I've made sure they match (I was trying to
> "genericize" the key string before), but not any longer.
>
> After making sure the key strings match, I'm still getting the error
> "unable to add forward map" when I do a release & renew from a windows
> laptop.
> Here are the current (and live) config files.
>
> named.conf
> =====================
> /*
> Sample named.conf BIND DNS server 'named' configuration file
> for the Red Hat BIND distribution.
>
> See the BIND Administrator's Reference Manual (ARM) for details, in:
> file:///usr/share/doc/bind-{
> version}/arm/Bv9ARM.html
> Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
> its manual.
> */
>
> acl stapleton_hosts {
> 127.0.0.1;
> 172.10.0.0/16;
> };
>
> options
> {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // "Working" directory
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> zone-statistics yes;
>
>
> /*
> Specify listenning interfaces. You can use list of addresses (';' is
> delimiter) or keywords "any"/"none"
> */
> //listen-on port 53 { any; };
> listen-on port 53 { 127.0.0.1; 172.10.0.0; };
>
> //listen-on-v6 port 53 { any; };
> //listen-on-v6 port 53 { ::1; };
>
> /*
> Access restrictions
>
> There are two important options:
> allow-query { argument; };
> - allow queries for authoritative data
>
> allow-query-cache { argument; };
> - allow queries for non-authoritative data (mostly cached data)
>
> You can use address, network address or keywords
> "any"/"localhost"/"none" as argument
> Examples:
> allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
> allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
> */
>
> allow-query { stapleton_hosts; };
> allow-query-cache { stapleton_hosts; };
>
> // Enable/disable recursion - recursion yes/no;
> recursion yes;
>
> /* DNSSEC related options. See information about keys ("Trusted keys",
> bellow) */
>
> /* Enable serving of DNSSEC related data - enable on both authoritative
> and recursive servers DNSSEC aware servers */
> //dnssec-enable yes;
>
> /* Enable DNSSEC validation on recursive servers */
> //dnssec-validation yes;
>
> /* Enable DLV by default, use built-in ISC DLV key. */
> //dnssec-lookaside auto;
>
> version "Secret";
>
> };
>
> # Use this command line to generate the key. Only need the key string
> (from the .private file) inside these files.
> # dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER
> #
> # It is very important to use the exact same keystring and name on both
> dhcpd.conf and named.conf for this to work.
> key DHCP_UPDATER { # This line specifies the key name
> algorithm HMAC-MD5; # This line specifies the
> encryption algorithm best to stick with HMAC-MD5
> secret
> "TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==";
> # Finally, the key statement itself
> };
>
>
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc trace'
> command,
> * named will try to write the 'named.run' file in the $directory
> (/var/named).
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> /*
> Views let a name server answer a DNS query differently depending on who
> is asking.
>
> By default, if named.conf contains no "view" clauses, all zones are in
> the
> "default" view, which matches all clients.
>
> Views are processed sequentially. The first match is used so the last
> view should
> match "any" - it's fallback and the most restricted view.
>
> If named.conf contains any "view" clause, then all zones MUST be in a
> view.
> */
>
> //view "localhost_resolver"
> //{
> ///* This view sets up named to be a localhost resolver ( caching only
> nameserver ).
> // * If all you want is a caching-only nameserver, then you need only
> define this view:
> // */
> // match-clients { localhost; };
> // recursion yes;
> //
> // # all views must contain the root hints zone:
> // zone "." IN {
> // type hint;
> // file "/var/named/named.ca";
> // };
> //
> // /* these are zones that contain definitions for all the localhost
> // * names and addresses, as recommended in RFC1912 - these names
> should
> // * not leak to the other nameservers:
> // */
> // include "/etc/named.rfc1912.zones";
> //};
> view "internal"
> {
> /* This view will contain zones you want to serve only to "internal"
> clients
> that connect via your directly attached LAN interfaces - "localnets" .
> */
> match-clients { stapleton_hosts; };
> recursion yes;
>
> disable-empty-zone ".";
>
> allow-update { stapleton_hosts; };
>
> zone "." IN {
> type hint;
> file "internal/root.hints";
> };
>
> /* these are zones that contain definitions for all the localhost
> * names and addresses, as recommended in RFC1912 - these names
> should
> * not leak to the other nameservers:
> */
> include "internal/named.rfc1912.zones";
>
> // These are your "authoritative" internal zones, and would probably
> // also be included in the "localhost_resolver" view above :
>
> /*
> NOTE for dynamic DNS zones and secondary zones:
>
> DO NOT USE SAME FILES IN MULTIPLE VIEWS!
>
> If you are using views and DDNS/secondary zones it is strongly
> recommended to read FAQ on ISC site (www.isc.org), section
> "Configuration and Setup Questions", questions
> "How do I share a dynamic zone between multiple views?" and
> "How can I make a server a slave for both an internal and an external
> view at the same time?"
> */
>
> /*
> Based on research, need to put DDNS "zones" files into the
> /var/named/chroot/var/named/slaves/ directory.
> Named has a "bug" that prevents them from being updated in the
> usual place /var/named/chroot/var/named/internal/
> */
> // forward "zones" file.
> zone "dhcp.coloradostudios.com" {
> type master;
> allow-update { key DHCP_UPDATER; };
> file "slaves/db.dhcp.coloradostudios.com";
> notify yes;
> // put dynamically updateable zones in the slaves/ directory so
> named can update them
> };
>
> // Reverse "zones" file.
> zone "20.10.172.in-addr.arpa" {
> type master;
> allow-update { key DHCP_UPDATER; };
> file "slaves/db.172.10.20";
> notify yes;
> };
> };
>
> //key ddns_key
> //{
> // algorithm hmac-md5;
> // secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
> //};
>
> //view "external"
> //{
> ///* This view will contain zones you want to serve only to "external"
> clients
> // * that have addresses that are not match any above view:
> // */
> // match-clients { any; };
> //
> // zone "." IN {
> // type hint;
> // file "/var/named/named.ca";
> // };
> //
> // recursion no;
> // // you'd probably want to deny recursion to external clients, so you
> don't
> // // end up providing free DNS service to all takers
> //
> // // These are your "authoritative" external zones, and would probably
> // // contain entries for just your web and mail servers:
> //
> // zone "my.external.zone" {
> // type master;
> // file "my.external.zone.db";
> // };
> //};
>
>
> dhcpd.conf
> ====================================
> #
> # DHCP Server Configuration file.
> # see /usr/share/doc/dhcp*/dhcpd.conf.sample
> # see 'man 5 dhcpd.conf'
> #
> # Sept 19, 2012 jbucks
> # /etc/dhcp/dhcdp.conf file - prepping for dhcp rollout
> #
> #
> # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
> # Separate multiple interfaces with spaces, e.g. "eth0 eth1".>
> INTERFACES="eth1";
>
> deny client-updates; # Tells the server to deny any requests
> that clients may send to update their own information.
>
> authoritative; # Sets the server authoritative for my
> network
> ddns-update-style interim; # Activates Dynamic DNS
> max-lease-time 604800; # 604800 is a week
> default-lease-time 86400; # 86400 is a day
>
> # Use this command line to generate the key. Only need the key string
> (from the .private file) inside these files.
> # dnssec-keygen -a HMAC-MD5 -b 512 -n USER DHCP_UPDATER
> #
> # It is very important to use the exact same keystring and name on both
> dhcpd.conf and named.conf for this to work.
> key DHCP_UPDATER { # This line specifies the key name
> algorithm HMAC-MD5; # This line specifies the
> encryption algorithm best to stick with HMAC-MD5
> secret
> TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==;
> # Finally the key statement itself
> };
>
>
> # These zones statements are part of the dynamic dns (named) as they link
> back into the bind (named) zones
> zone dhcp.coloradostudios.com. {
> primary 127.0.0.1;
> key DHCP_UPDATER;
> }
>
> zone 20.10.172.in-addr.arpa. {
> primary 127.0.0.1;
> key DHCP_UPDATER;
> }
>
> subnet 172.10.0.0 netmask 255.255.0.0 {
> option broadcast-address 172.10.255.255;
> option domain-name "coloradostudios.com";
> option routers 172.10.5.1;
> ddns-hostname = concat ("dhcp-", binary-to-ascii (10, 8, "-",
> leased-address));
> option time-offset -7; # Mountain Standard Time
> range 172.10.20.51 172.10.20.254;
> }
>
>
--
Jim Bucks - IT Director
Colorado Studios <http://www.coloradostudios.com>, Mobile TV
Group<http://www.mobiletvgroup.com>,
HDNet <http://www.hd.net>, AXS.tv <http://www.axs.tv/>
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
jbucks at coloradostudios.com Direct 303-542-5520
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130329/aa0f0a2b/attachment.html>
More information about the bind-users
mailing list