need help with dynamic DNS updates, better mysteries

Glenn Satchell Glenn.Satchell at uniq.com.au
Sun Mar 12 12:42:48 UTC 2006 

>From: Glenn Satchell <Glenn.Satchell at uniq.com.au>
>
>Simon Hobson wrote:
>>
>>Ross Boylan wrote:
>>
>>>Mar 10 20:17:32 wheat named[7080]: client 127.0.0.1#33008: view 
>>>inside: update 'betterworld.us/IN' denied
>>>Mar 10 20:17:32 wheat dhcpd: Unable to add forward map from 
>>>corn.betterworld.us to 192.168.40.25: timed out
>>
>>OK, this tells us a lot. The second line is logged by dhcpd and says 
>>that it attempted an update, but it timed out. Not overly helpful as 
>>it tells us it failed (useful in itself) but not why ...
>
>If named gets an update request that is not permitted, it ignores it
>and does not reply, hence the requesting process times out.
>
>>... but the first line, from named, does tell us why - the update was 
>>denied. That means either the zone doesn't have the right "allow 
>>update ..." statement OR the statement is there but the key doesn't 
>>match (not actually sure if mismatched keys causes a more specific 
>>message or not).
>>
>-->8--snip-->8--
>>
>>You now need to figure out why the dns server is denying the update requests.
>>
>>Simon
>
>Perhaps this was a copy/paste typo in an earlier email? But
>there is no allow-update in the betterworld.us zone, the one in
>the 192.in-addr.arpa looks correct though ...
>
>> 	zone "192.in-addr.arpa" {
>> 		type master;
>> 		file "/etc/bind/db.192";
>> 		allow-query { internals; };
>> 		allow-transfer { internals; };
>> 		allow-update { key DHCP_UPDATER;};
>> 	};
>> 
>> 	zone "betterworld.us" {
>> 		notify no;
>> 		type master;
>> 		file "/etc/bind/inside-betterworld.us";
>> 	};
>
>If this brings no joy, then you can temporarily test without using keys:
>
>		allow-update { localhost; DHCP_UPDATER; };

Need a bit more care with copy/paste myself! That should be

		allow-update { localhost; key DHCP_UPDATER; };

>'localhost' is a special ACL that evaluates true to any locally
>configured interface address on the name server. If this works
>then the problem is with the keys. Check that algorithm,
>quoting, etc, are all correct. There are examples in the
>dhcpd.conf man page under the section DYNAMIC DNS UPDATE SECURITY
>for both named.conf and dhcpd.conf.
>
regards,
-glenn

More information about the dhcp-users mailing list