Requesting Update-Policy Statements Sanity Check, Please
Mark Andrews
marka at isc.org
Sat Feb 4 12:21:11 UTC 2023
Add DHCID to the list of record types permitted to be updated by the DHCP server.
--
Mark Andrews
> On 4 Feb 2023, at 21:15, duluxoz <duluxoz at gmail.com> wrote:
>
> Thanks Mark (& Darren & Jan-Piet),
>
> So I made those changes you suggested (Mark), but I'm still having issues (ie DHCP leases are not being added to the DNS zones), so I've included my Bind9 config:
>
> ~~~
>
> acl "bogusnets" {
> !"internal_hosts";
> 0.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
> acl "internal_hosts" {
> 192.168.1.0/24;
> 192.168.2.0/24;
> };
> acl "secondary_external_servers" {
> 192.168.1.1/32;
> 192.168.1.2/32;
> };
> acl "secondary_internal_servers" {
> 192.168.2.1/32;
> 192.168.2.2/32;
> };
> acl "servers_ddns" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "servers_rndc" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "stats_hosts" {
> 192.168.2.0/24;
> };
> controls {
> inet 0.0.0.0 port 953 allow {
> "servers_rndc";
> } keys {
> "rndc.key";
> };
> };
> logging {
> channel "auth_servers_log" {
> file "/var/log/named/auth_servers.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "client_security_log" {
> file "/var/log/named/client_security.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_log" {
> file "/var/log/named/default.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_debug_log" {
> file "/var/log/named/default_debug.log" versions 3 size 512000 suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "ddns_log" {
> file "/var/log/named/ddns.log" versions 3 size 512000 suffix timestamp;
> severity debug 1;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnssec_log" {
> file "/var/log/named/dnssec.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "queries_log" {
> file "/var/log/named/queries.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "query_errors_log" {
> file "/var/log/named/query_errors.log" versions 3 size 512000 suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "zone_transfers_log" {
> file "/var/log/named/zone_transfers.log" versions 3 size 512000 suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category "client" {
> "client_security_log";
> "default_debug";
> };
> category "dnssec" {
> "dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
> "auth_servers_log";
> "default_debug";
> };
> category "edns-disabled" {
> "auth_servers_log";
> "default_debug";
> };
> category "lame-servers" {
> "auth_servers_log";
> "default_debug";
> };
> category "notify" {
> "zone_transfers_log";
> "default_debug";
> };
> category "resolver" {
> "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
> "default_debug";
> };
> category "update" {
> "ddns_log";
> "default_debug";
> };
> category "update-security" {
> "ddns_log";
> "default_debug";
> };
> category "xfer-in" {
> "zone_transfers_log";
> "default_debug";
> };
> category "xfer-out" {
> "zone_transfers_log";
> "default_debug";
> };
> };
> options {
> blackhole {
> "bogusnets";
> };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> flush-zones-on-shutdown yes;
> managed-keys-directory "/var/named/dynamic";
> memstatistics yes;
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> statistics-file "/var/named/data/named_stats.txt";
> version "Not Currently Available";
> disable-algorithms "." {
> "RSAMD5";
> "RSASHA1";
> "NSEC3RSASHA1";
> "DSA";
> };
> disable-ds-digests "." {
> "SHA-1";
> "GOST";
> };
> recursion no;
> allow-query {
> "localhost";
> };
> allow-transfer {
> "secondary_external_servers";
> "secondary_internal_servers";
> };
> multi-master no;
> zone-statistics yes;
> };
> primaries "servers_primaries" {
> 192.168.2.3;
> };
> statistics-channels {
> inet 0.0.0.0 port 8080 allow {
> "stats_hosts";
> };
> };
> key "update.key" {
> algorithm "hmac-sha512";
> secret "????????????????????????????????????????????????????????????????????????????????????????";
> };
> key "rndc.key" {
> algorithm "hmac-sha512";
> secret "????????????????????????????????????????????????????????????????????????????????????????";
> };
> server 192.168.1.1/32 {
> keys "update.key";
> };
> server 192.168.1.2/32 {
> keys "update.key";
> };
> server 192.168.2.1/32 {
> keys "update.key";
> };
> server 192.168.2.2/32 {
> keys "update.key";
> };
> server 192.168.2.3/32 {
> keys "update.key";
> };
> zone "example.com" in {
> type primary;
> file "zones/primary.example.com.zone";
> update-policy {
> grant "update.key" name "_acme-challenge.example.com" "TXT";
> };
> allow-transfer {
> !{
> !"secondary_external_servers";
> "any";
> };
> key "update.key.";
> };
> dnssec-policy "default";
> };
> zone "1.168.192.IN-ADDR.ARPA" in {
> type primary;
> file "zones/primary.192.168.1.rev.zone";
> allow-transfer {
> !{
> !"secondary_internal_servers";
> "any";
> };
> key "update.key";
> };
> allow-update {
> "none";
> };
> notify no;
> };
> zone "2.168.192.IN-ADDR.ARPA" in {
> type primary;
> file "zones/primary.192.168.2.rev.zone";
> update-policy {
> grant "update.key" zonesub "PTR";
> };
> allow-transfer {
> !{
> !"secondary_internal_servers";
> "any";
> };
> key "update.key";
> };
> };
> zone "my-domain.local" in {
> type primary;
> file "zones/primary.my-domain.local.zone";
> update-policy {
> grant "update.key" zonesub "A";
> };
> allow-transfer {
> !{
> !"secondary_internal_servers";
> "any";
> };
> key "update.key";
> };
> };
>
> ~~~
>
> Here's the (relevant parts of the) Bind9 ddns.log (ie the update log):
>
> ~~~
>
> 04-Feb-2023 19:57:09.736 update: info: client @0x7f3e2063fa18 192.168.2.3#45674/key update.key: updating zone 'my-domain.local/IN': update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> 04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18 192.168.2.3#38345/key update.key: updating zone 'my-domain.local/IN': update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> 04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18 192.168.2.3#39061/key update.key: updating zone '2.168.192.IN-ADDR.ARPA/IN': update unsuccessful: 8.2.168.192.IN-ADDR.ARPA/PTR: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> 04-Feb-2023 19:57:09.738 update: info: client @0x7f3e2063fa18 192.168.2.3#48836/key update.key: updating zone 'my-domain.local/IN': update failed: rejected by secure update (REFUSED)
>
> ~~~
>
> Here's the corresponding (relevant parts of the) the Kea-ddns.log
>
> ~~~
>
> 2023-02-04 19:57:09.735 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_STARTING_TRANSACTION Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
> 2023-02-04 19:57:09.736 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward A/AAAA Remove to server: 192.168.2.3 port:53
> 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
> 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward RR Remove to server: 192.168.2.3 port:53
> 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
> 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Reverse Remove to server: 192.168.2.3 port:53
> 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET
> 2023-02-04 19:57:09.738 INFO [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_REMOVE_SUCCEEDED DHCP_DDNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: successfully removed the DNS mapping addition for this request: Type: 1 (CHG_REMOVE)
> Forward Change: yes
> Reverse Change: yes
> FQDN: [client1.my-domain.local.]
> IP Address: [192.168.2.8]
> DHCID: [000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
> Lease Expires On: 20230205083853
> Lease Length: 86400
> Conflict Resolution: yes
>
> 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_STARTING_TRANSACTION Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343:
> 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward Add to server: 192.168.2.3 port:53
> 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: REFUSED
> 2023-02-04 19:57:09.738 ERROR [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_FORWARD_ADD_REJECTED DNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Server, 192.168.2.3 port:53, rejected a DNS update request to add the address mapping for FQDN, client1.my-domain.local., with an RCODE: 5
> 2023-02-04 19:57:09.738 ERROR [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Transaction outcome Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: failed, Reverse change: failed, request: Type: 0 (CHG_ADD)
> Forward Change: yes
> Reverse Change: yes
> FQDN: [client1.my-domain.local.]
> IP Address: [192.168.2.8]
> DHCID: [000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
> Lease Expires On: 20230205085709
> Lease Length: 86400
> Conflict Resolution: yes
> ~~~
>
> And here's the kea-dhcp-ddns.conf
>
> ~~~
>
> {
> "DhcpDdns": {
> "ip-address": "127.0.0.1",
> "port": 53001,
> "control-socket": {
> "socket-type": "unix",
> "socket-name": "/var/run/kea/kea-ddns-ctrl.socket"
> },
> "tsig-keys": [{
> "name": "update.key",
> "algorithm": "hmac-sha512",
> "secret": "????????????????????????????????????????????????????????????????????????????????????????"
> }],
> "forward-ddns": {
> "ddns-domains": [{
> "name": "my-domain.local.",
> "key-name": "update.key",
> "dns-servers": [{"ip-address": "192.168.2.3"}]
> }]
> },
> "reverse-ddns": {
> "ddns-domains": [{
> "name": "1.168.192.IN-ADDR.ARPA.",
> "key-name": "update.key",
> "dns-servers": [{"ip-address": "192.168.2.3"}]
> },{
> "name": "2.168.192.IN-ADDR.ARPA.",
> "key-name": "update.key",
> "dns-servers": [{"ip-address": "192.168.2.3"}]
> }]
> },
> "loggers": [{
> "name": "kea-dhcp-ddns",
> "output_options": [{
> "output": "/var/log/kea/kea-ddns.log",
> "flush": true,
> "maxsize": 1048576,
> "maxver": 10
> }],
> "severity": "INFO",
> "debuglevel": 0
> }]
> }
> }
>
> ~~~
>
> I have checked, double-checked, and double-checked again that the update.key values are the same in both config files.
>
> So... What am I doing wrong, please?
>
> Any help is gratefully appreciated - thanks
>
> Cheers
>
> Dulux-Oz
>
>> On 04/02/2023 15:28, Mark Andrews wrote:
>> You need to replace the rule type with something more appropriate for the type of update being preformed. For the updates made by the DHCP server I would use “zonesub”. “name” is fine for LetsEncrypt.
>>
>> update-policy {grant update-key zonesub A AAAA;};
>> update-policy {grant update-key zonesub PTR;};
>>
>> ``zonesub``
>> This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the :any:`update-policy` statement appears. This obviates the need to type the zone name twice, and enables the use of a standard :any:`update-policy` statement in multiple zones without modification. When this rule is used, the ``name`` field is omitted.
>>
>>
>>>> On 3 Feb 2023, at 18:04, duluxoz <duluxoz at gmail.com> wrote:
>>>
>>> Hi All,
>>>
>>> I'm pretty new to configuring Bind and so it would be great if someone(s) could just check my code re: the update-policy zone command(s) below - thanks in advance.
>>>
>>> For the first zone (a regular internal forward-lookup zone) I'd like to be able to update (from Kea via ddns) the zone when a new host is assigned/etc a DHCP lease:
>>>
>>> update-policy {grant update-key name internal-forward-lookup.local A AAAA;};
>>>
>>> For the second zone (a regular internal reverse-lookup zone for the 192.168.1.0/24 network) I'd like to be able to update (from Kea via ddns) the zone when a new host is assigned a DHCP lease (obviously I've got an equivalent IPv6 reverse-lookup zone :-) ):
>>>
>>> update-policy {grant update-key name 1.168.192.IN-ADDR.ARPA PTR;};
>>>
>>> For the third zone (a regular external forward-lookup zone) I'd like to be able to update (via acme.sh/LetsEncrypt) the _acme-challenge.example.com TXT record when a Certificate is requested/renewed:
>>>
>>> update-policy {grant update-key name _acme-challenge.example.com TXT;};
>>>
>>> I've got the update-key configured and available on all the necessary boxes, etc, and dns (for fixed IP addresses) and dhcp are working - I just need to get these update-policy statements correct.
>>>
>>>
>>> Any help is greatly appreciated - and again, thanks in advance
>>>
>>> Cheers
>>>
>>> Dulux-Oz
>
More information about the bind-users
mailing list