Feature questions

Thu Sep 25 12:41:28 UTC 2008

You are right. I just over looked the section where it mentioned
named.conf vs. dhcpd.conf. Thanks.

On Thu, Sep 25, 2008 at 6:35 AM, Glenn Satchell
<Glenn.Satchell at uniq.com.au> wrote:
>
>>Date: Wed, 24 Sep 2008 08:14:32 -0600
>>From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>To: dhcp-users at isc.org
>>Subject: Re: Feature questions
>>
>>Glenn Satchell wrote:
>>>> Date: Tue, 23 Sep 2008 11:06:08 -0600
>>>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>>> To: dhcp-users at isc.org
>>>> Subject: Re: Feature questions
>>>>
>>>> So my next question is in regards to providing zone or dns zone options
>>>> without the use of dnssec? Is this a valid example?
>>>
>>> If you don't use keys then you need to allow updates by IP address. See
>>> examples below.
>>>
>>> Allowing this means, for example, that any user on that box could use
>>> nsupdate to modify your zone files. Using keys is much safer.
>>>
>>> If you find that dns updates are no tworking you will need to enable
>>> named logging and look to see what the problem is. dhcp will return
>>> something like 'dns update times out'.
>>>
>>> named.conf?
>>Named.conf? According to the documentation I have read regarding dhcpd
>>and dns updates these are directives I am using in the dhcpd.conf file.
>>
>>Is this wrong?
>
> Go back and look at your documentation again. named.conf is the file
> used by the named dns daemon that uses and manages zone files.
> dhcpd.conf is the configuration file that dhcpd uses. To do dns updates
> dhcpd talks to named, and named updates the dns. So you need to tell
> named that dhcpd is allowed to send it updates.
>
> Again, I refer you to the dhcpd.conf man page and the section "DYNAMIC
> DNS UPDATE SECURITY" which has examples for configuring named.conf and
> dhcpd.conf to allow dns updates.
>
> regards,
> -glenn
>>
>>>> #### DNS Zone Definitions ####
>>>> zone "test.com" {
>>>>     type master;
>>>>     file "mmctest.zone";
>>>       allow-update { localhost; };
>>>> };
>>>> zone "xxx.xxx.xxx.xxx.in-addr.arpa" {
>>>>     type master;
>>>>     file "test.zone";
>>>       allow-update { localhost; };
>>>> };
>>>
>>>
>>> dhcpd.conf?
>>>> zone test {
>>>>     primary 127.0.0.1;
>>>> }
>>>> zone xxx.xxx.xxx.xxx.in-addr.arpa {
>>>>     primary 127.0.0.1;
>>>> }
>>>
>>> regards,
>>> -glenn
>>>> Glenn Satchell wrote:
>>>>> Hi Jason
>>>>>
>>>>> Check the dhcpd.conf man page (man dhcpd.conf) and scroll down to the
>>>>> section titled "DYNAMIC DNS UPDATE SECURITY" and follow the examples
>>>>> there.
>>>>>
>>>>> You need to generate your passphrase using dnssec-keygen, you can't
>>>>> just pick an arbitrary group of letters as it is base64 encoded.
>>>>>
>>>>> Also dhcpd.conf configuration is not the same as named.conf, for
>>>>> example quotes are used differently. The reference above has examples
>>>>> for both named.conf and dhcpd.conf.
>>>>>
>>>>> regards,
>>>>> -glenn
>>>>>
>>>>>
>>>>>> Date: Mon, 22 Sep 2008 07:35:33 -0600
>>>>>> From: Jason Gerfen <jason.gerfen at scl.utah.edu>
>>>>>> To: dhcp-users at isc.org
>>>>>> Subject: Feature questions
>>>>>>
>>>>>> I have read the documentation regarding the use of DNSSEC and also
>>>>>> utilizing DNS zone files within the dhcpd.conf. I am in need of a
>>>>>> 'second set of eyes' in regards to my current configuration for these
>>>>>> options as well as for the failover configuration syntax.
>>>>>>
>>>>>> If any one could assist me with this I would appreciate it.
>>>>>>
>>>>>> #### DNSSEC Key Definitions ####
>>>>>> key test {
>>>>>>     algorithm DSA;
>>>>>>     secret passphrase;
>>>>>> }
>>>>>>
>>>>>> #### DNS Zone Definitions ####
>>>>>> zone "scl.utah.edu" {
>>>>>>     type master;
>>>>>>     file "mmctest.zone";
>>>>>>     allow-update { key test; };
>>>>>> };
>>>>>> zone "145.17.97.155.in-addr.arpa" {
>>>>>>     type master;
>>>>>>     file "mmctest.zone";
>>>>>>     allow-update { key test; };
>>>>>> };
>>>>>> zone scl.utah.edu {
>>>>>>     primary 127.0.0.1;
>>>>>>     key test;
>>>>>> }
>>>>>> zone 145.17.97.155.in-addr.arpa {
>>>>>>     primary 127.0.0.1;
>>>>>>     key test;
>>>>>> }
>>>>>>
>>>>>> #### Failover configuration ####
>>>>>> failover peer "tyr" {
>>>>>>     primary;
>>>>>>     address 155.97.17.166;
>>>>>>     port 519;
>>>>>>     peer address 155.97.16.253;
>>>>>>     peer port 520;
>>>>>>     max-response-delay 60;
>>>>>>     max-unpacked-updates 10;
>>>>>>     mclt 300;
>>>>>>     split 128;
>>>>>>     load balance max seconds 3;
>>>>>> }
>>>>>>
>>>>>> The reason I am asking is because with this configuration (which look
>>>>>> accurate according to the RFC documentation I have read) I receive some
>>>>>> errors when restarting the dhcpd service. Details below:
>>>>>>
>>>>>> dhcpd.conf line 24: partial base64 value left over: 14.
>>>>>>        secret passphrase;
>>>>>>
>>>>>> dhcpd.conf line 28: expecting hostname.
>>>>>> zone "scl.utah.edu"
>>>>>>
>>>>>> dhcpd.conf line 32: expecting a parameter or declaration
>>>>>> };
>>>>>>
>>>>>> /dhcpd.conf line 33: expecting hostname.
>>>>>> zone "145.17.97.155.in-addr.arpa"
>>>>>>
>>>>>> dhcpd.conf line 37: expecting a parameter or declaration
>>>>>> };
>>>>>>
>>>>>> dhcpd.conf line 55: invalid statement in peer declaration
>>>>>>        max-unpacked-updates
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>>--
>>Jason Gerfen
>>
>>
>
>
>

-- 
Jason Gerfen
jason.gerfen at gmail.com

~ tomorrow ain't promised so we live for today