Requesting Update-Policy Statements Sanity Check, Please
duluxoz
duluxoz at gmail.com
Sat Feb 4 10:14:55 UTC 2023
Thanks Mark (& Darren & Jan-Piet),
So I made those changes you suggested (Mark), but I'm still having
issues (ie DHCP leases are not being added to the DNS zones), so I've
included my Bind9 config:
~~~
acl "bogusnets" {
!"internal_hosts";
0.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
192.168.0.0/16;
224.0.0.0/3;
};
acl "internal_hosts" {
192.168.1.0/24;
192.168.2.0/24;
};
acl "secondary_external_servers" {
192.168.1.1/32;
192.168.1.2/32;
};
acl "secondary_internal_servers" {
192.168.2.1/32;
192.168.2.2/32;
};
acl "servers_ddns" {
"localhost";
192.168.2.3/32;
};
acl "servers_rndc" {
"localhost";
192.168.2.3/32;
};
acl "stats_hosts" {
192.168.2.0/24;
};
controls {
inet 0.0.0.0 port 953 allow {
"servers_rndc";
} keys {
"rndc.key";
};
};
logging {
channel "auth_servers_log" {
file "/var/log/named/auth_servers.log" versions 3 size 512000
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "/var/log/named/client_security.log" versions 3 size
512000 suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_log" {
file "/var/log/named/default.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug_log" {
file "/var/log/named/default_debug.log" versions 3 size 512000
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "/var/log/named/ddns.log" versions 3 size 512000 suffix
timestamp;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "/var/log/named/dnssec.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "/var/log/named/queries.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_errors_log" {
file "/var/log/named/query_errors.log" versions 3 size 512000
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "/var/log/named/zone_transfers.log" versions 3 size 512000
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "client" {
"client_security_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
"ddns_log";
"default_debug";
};
category "xfer-in" {
"zone_transfers_log";
"default_debug";
};
category "xfer-out" {
"zone_transfers_log";
"default_debug";
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory "/var/named/dynamic";
memstatistics yes;
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
version "Not Currently Available";
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
recursion no;
allow-query {
"localhost";
};
allow-transfer {
"secondary_external_servers";
"secondary_internal_servers";
};
multi-master no;
zone-statistics yes;
};
primaries "servers_primaries" {
192.168.2.3;
};
statistics-channels {
inet 0.0.0.0 port 8080 allow {
"stats_hosts";
};
};
key "update.key" {
algorithm "hmac-sha512";
secret
"????????????????????????????????????????????????????????????????????????????????????????";
};
key "rndc.key" {
algorithm "hmac-sha512";
secret
"????????????????????????????????????????????????????????????????????????????????????????";
};
server 192.168.1.1/32 {
keys "update.key";
};
server 192.168.1.2/32 {
keys "update.key";
};
server 192.168.2.1/32 {
keys "update.key";
};
server 192.168.2.2/32 {
keys "update.key";
};
server 192.168.2.3/32 {
keys "update.key";
};
zone "example.com" in {
type primary;
file "zones/primary.example.com.zone";
update-policy {
grant "update.key" name "_acme-challenge.example.com" "TXT";
};
allow-transfer {
!{
!"secondary_external_servers";
"any";
};
key "update.key.";
};
dnssec-policy "default";
};
zone "1.168.192.IN-ADDR.ARPA" in {
type primary;
file "zones/primary.192.168.1.rev.zone";
allow-transfer {
!{
!"secondary_internal_servers";
"any";
};
key "update.key";
};
allow-update {
"none";
};
notify no;
};
zone "2.168.192.IN-ADDR.ARPA" in {
type primary;
file "zones/primary.192.168.2.rev.zone";
update-policy {
grant "update.key" zonesub "PTR";
};
allow-transfer {
!{
!"secondary_internal_servers";
"any";
};
key "update.key";
};
};
zone "my-domain.local" in {
type primary;
file "zones/primary.my-domain.local.zone";
update-policy {
grant "update.key" zonesub "A";
};
allow-transfer {
!{
!"secondary_internal_servers";
"any";
};
key "update.key";
};
};
~~~
Here's the (relevant parts of the) Bind9 ddns.log (ie the update log):
~~~
04-Feb-2023 19:57:09.736 update: info: client @0x7f3e2063fa18
192.168.2.3#45674/key update.key: updating zone 'my-domain.local/IN':
update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18
192.168.2.3#38345/key update.key: updating zone 'my-domain.local/IN':
update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18
192.168.2.3#39061/key update.key: updating zone
'2.168.192.IN-ADDR.ARPA/IN': update unsuccessful:
8.2.168.192.IN-ADDR.ARPA/PTR: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET)
04-Feb-2023 19:57:09.738 update: info: client @0x7f3e2063fa18
192.168.2.3#48836/key update.key: updating zone 'my-domain.local/IN':
update failed: rejected by secure update (REFUSED)
~~~
Here's the corresponding (relevant parts of the) the Kea-ddns.log
~~~
2023-02-04 19:57:09.735 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_STARTING_TRANSACTION Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
2023-02-04 19:57:09.736 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Forward A/AAAA Remove to server: 192.168.2.3 port:53
2023-02-04 19:57:09.737 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
2023-02-04 19:57:09.737 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Forward RR Remove to server: 192.168.2.3 port:53
2023-02-04 19:57:09.737 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
2023-02-04 19:57:09.737 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Reverse Remove to server: 192.168.2.3 port:53
2023-02-04 19:57:09.738 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
2023-02-04 19:57:09.738 INFO
[kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_REMOVE_SUCCEEDED
DHCP_DDNS Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
successfully removed the DNS mapping addition for this request: Type: 1
(CHG_REMOVE)
Forward Change: yes
Reverse Change: yes
FQDN: [client1.my-domain.local.]
IP Address: [192.168.2.8]
DHCID:
[000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
Lease Expires On: 20230205083853
Lease Length: 86400
Conflict Resolution: yes
2023-02-04 19:57:09.738 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_STARTING_TRANSACTION Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
2023-02-04 19:57:09.738 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_REQUEST_SENT Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Forward Add to server: 192.168.2.3 port:53
2023-02-04 19:57:09.738 DEBUG
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
to server: 192.168.2.3 port:53 status: SUCCESS, rcode: REFUSED
2023-02-04 19:57:09.738 ERROR
[kea-dhcp-ddns.d2-to-dns/738.140595359121344]
DHCP_DDNS_FORWARD_ADD_REJECTED DNS Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Server, 192.168.2.3 port:53, rejected a DNS update request to add the
address mapping for FQDN, client1.my-domain.local., with an RCODE: 5
2023-02-04 19:57:09.738 ERROR
[kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_ADD_FAILED
DHCP_DDNS Request ID
000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
Transaction outcome Status: Failed, Event: UPDATE_FAILED_EVT, Forward
change: failed, Reverse change: failed, request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [client1.my-domain.local.]
IP Address: [192.168.2.8]
DHCID:
[000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
Lease Expires On: 20230205085709
Lease Length: 86400
Conflict Resolution: yes
~~~
And here's the kea-dhcp-ddns.conf
~~~
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/var/run/kea/kea-ddns-ctrl.socket"
},
"tsig-keys": [{
"name": "update.key",
"algorithm": "hmac-sha512",
"secret":
"????????????????????????????????????????????????????????????????????????????????????????"
}],
"forward-ddns": {
"ddns-domains": [{
"name": "my-domain.local.",
"key-name": "update.key",
"dns-servers": [{"ip-address": "192.168.2.3"}]
}]
},
"reverse-ddns": {
"ddns-domains": [{
"name": "1.168.192.IN-ADDR.ARPA.",
"key-name": "update.key",
"dns-servers": [{"ip-address": "192.168.2.3"}]
},{
"name": "2.168.192.IN-ADDR.ARPA.",
"key-name": "update.key",
"dns-servers": [{"ip-address": "192.168.2.3"}]
}]
},
"loggers": [{
"name": "kea-dhcp-ddns",
"output_options": [{
"output": "/var/log/kea/kea-ddns.log",
"flush": true,
"maxsize": 1048576,
"maxver": 10
}],
"severity": "INFO",
"debuglevel": 0
}]
}
}
~~~
I have checked, double-checked, and double-checked again that the
update.key values are the same in both config files.
So... What am I doing wrong, please?
Any help is gratefully appreciated - thanks
Cheers
Dulux-Oz
On 04/02/2023 15:28, Mark Andrews wrote:
> You need to replace the rule type with something more appropriate for the type of update being preformed. For the updates made by the DHCP server I would use “zonesub”. “name” is fine for LetsEncrypt.
>
> update-policy {grant update-key zonesub A AAAA;};
> update-policy {grant update-key zonesub PTR;};
>
> ``zonesub``
> This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the :any:`update-policy` statement appears. This obviates the need to type the zone name twice, and enables the use of a standard :any:`update-policy` statement in multiple zones without modification. When this rule is used, the ``name`` field is omitted.
>
>
>> On 3 Feb 2023, at 18:04, duluxoz <duluxoz at gmail.com> wrote:
>>
>> Hi All,
>>
>> I'm pretty new to configuring Bind and so it would be great if someone(s) could just check my code re: the update-policy zone command(s) below - thanks in advance.
>>
>> For the first zone (a regular internal forward-lookup zone) I'd like to be able to update (from Kea via ddns) the zone when a new host is assigned/etc a DHCP lease:
>>
>> update-policy {grant update-key name internal-forward-lookup.local A AAAA;};
>>
>> For the second zone (a regular internal reverse-lookup zone for the 192.168.1.0/24 network) I'd like to be able to update (from Kea via ddns) the zone when a new host is assigned a DHCP lease (obviously I've got an equivalent IPv6 reverse-lookup zone :-) ):
>>
>> update-policy {grant update-key name 1.168.192.IN-ADDR.ARPA PTR;};
>>
>> For the third zone (a regular external forward-lookup zone) I'd like to be able to update (via acme.sh/LetsEncrypt) the _acme-challenge.example.com TXT record when a Certificate is requested/renewed:
>>
>> update-policy {grant update-key name _acme-challenge.example.com TXT;};
>>
>> I've got the update-key configured and available on all the necessary boxes, etc, and dns (for fixed IP addresses) and dhcp are working - I just need to get these update-policy statements correct.
>>
>>
>> Any help is greatly appreciated - and again, thanks in advance
>>
>> Cheers
>>
>> Dulux-Oz
More information about the bind-users
mailing list