Feature questions

Glenn Satchell Glenn.Satchell at uniq.com.au
Thu Sep 25 12:35:09 UTC 2008 

>Date: Wed, 24 Sep 2008 08:14:32 -0600
>From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>To: dhcp-users at isc.org
>Subject: Re: Feature questions
>
>Glenn Satchell wrote:
>>> Date: Tue, 23 Sep 2008 11:06:08 -0600
>>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>> To: dhcp-users at isc.org
>>> Subject: Re: Feature questions
>>>
>>> So my next question is in regards to providing zone or dns zone options 
>>> without the use of dnssec? Is this a valid example?
>> 
>> If you don't use keys then you need to allow updates by IP address. See
>> examples below.
>> 
>> Allowing this means, for example, that any user on that box could use
>> nsupdate to modify your zone files. Using keys is much safer.
>> 
>> If you find that dns updates are no tworking you will need to enable
>> named logging and look to see what the problem is. dhcp will return
>> something like 'dns update times out'.
>> 
>> named.conf?
>Named.conf? According to the documentation I have read regarding dhcpd 
>and dns updates these are directives I am using in the dhcpd.conf file.
>
>Is this wrong?

Go back and look at your documentation again. named.conf is the file
used by the named dns daemon that uses and manages zone files.
dhcpd.conf is the configuration file that dhcpd uses. To do dns updates
dhcpd talks to named, and named updates the dns. So you need to tell
named that dhcpd is allowed to send it updates.

Again, I refer you to the dhcpd.conf man page and the section "DYNAMIC
DNS UPDATE SECURITY" which has examples for configuring named.conf and
dhcpd.conf to allow dns updates.

regards,
-glenn
>
>>> #### DNS Zone Definitions ####
>>> zone "test.com" {
>>>     type master;
>>>     file "mmctest.zone";
>>       allow-update { localhost; };
>>> };
>>> zone "xxx.xxx.xxx.xxx.in-addr.arpa" {
>>>     type master;
>>>     file "test.zone";
>>       allow-update { localhost; };
>>> };
>> 
>> 
>> dhcpd.conf?
>>> zone test {
>>>     primary 127.0.0.1;
>>> }
>>> zone xxx.xxx.xxx.xxx.in-addr.arpa {
>>>     primary 127.0.0.1;
>>> }
>> 
>> regards,
>> -glenn
>>> Glenn Satchell wrote:
>>>> Hi Jason
>>>>
>>>> Check the dhcpd.conf man page (man dhcpd.conf) and scroll down to the
>>>> section titled "DYNAMIC DNS UPDATE SECURITY" and follow the examples
>>>> there.
>>>>
>>>> You need to generate your passphrase using dnssec-keygen, you can't
>>>> just pick an arbitrary group of letters as it is base64 encoded.
>>>>
>>>> Also dhcpd.conf configuration is not the same as named.conf, for
>>>> example quotes are used differently. The reference above has examples
>>>> for both named.conf and dhcpd.conf.
>>>>
>>>> regards,
>>>> -glenn
>>>>
>>>>   
>>>>> Date: Mon, 22 Sep 2008 07:35:33 -0600
>>>>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>>>> To: dhcp-users at isc.org
>>>>> Subject: Feature questions
>>>>>
>>>>> I have read the documentation regarding the use of DNSSEC and also 
>>>>> utilizing DNS zone files within the dhcpd.conf. I am in need of a 
>>>>> 'second set of eyes' in regards to my current configuration for these 
>>>>> options as well as for the failover configuration syntax.
>>>>>
>>>>> If any one could assist me with this I would appreciate it.
>>>>>
>>>>> #### DNSSEC Key Definitions ####
>>>>> key test {
>>>>>     algorithm DSA;
>>>>>     secret passphrase;
>>>>> }
>>>>>
>>>>> #### DNS Zone Definitions ####
>>>>> zone "scl.utah.edu" {
>>>>>     type master;
>>>>>     file "mmctest.zone";
>>>>>     allow-update { key test; };
>>>>> };
>>>>> zone "145.17.97.155.in-addr.arpa" {
>>>>>     type master;
>>>>>     file "mmctest.zone";
>>>>>     allow-update { key test; };
>>>>> };
>>>>> zone scl.utah.edu {
>>>>>     primary 127.0.0.1;
>>>>>     key test;
>>>>> }
>>>>> zone 145.17.97.155.in-addr.arpa {
>>>>>     primary 127.0.0.1;
>>>>>     key test;
>>>>> }
>>>>>
>>>>> #### Failover configuration ####
>>>>> failover peer "tyr" {
>>>>>     primary;
>>>>>     address 155.97.17.166;
>>>>>     port 519;
>>>>>     peer address 155.97.16.253;
>>>>>     peer port 520;
>>>>>     max-response-delay 60;
>>>>>     max-unpacked-updates 10;
>>>>>     mclt 300;
>>>>>     split 128;
>>>>>     load balance max seconds 3;
>>>>> }
>>>>>
>>>>> The reason I am asking is because with this configuration (which look 
>>>>> accurate according to the RFC documentation I have read) I receive some 
>>>>> errors when restarting the dhcpd service. Details below:
>>>>>
>>>>> dhcpd.conf line 24: partial base64 value left over: 14.
>>>>>        secret passphrase;
>>>>>
>>>>> dhcpd.conf line 28: expecting hostname.
>>>>> zone "scl.utah.edu"
>>>>>
>>>>> dhcpd.conf line 32: expecting a parameter or declaration
>>>>> };
>>>>>
>>>>> /dhcpd.conf line 33: expecting hostname.
>>>>> zone "145.17.97.155.in-addr.arpa"
>>>>>
>>>>> dhcpd.conf line 37: expecting a parameter or declaration
>>>>> };
>>>>>
>>>>> dhcpd.conf line 55: invalid statement in peer declaration
>>>>>        max-unpacked-updates
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>
>>>>   
>>>
>> 
>> 
>
>
>-- 
>Jason Gerfen
>
>

More information about the dhcp-users mailing list