DHCP+BIND+DDNS, reverse creation timeout
Glenn Satchell
glenn.satchell at uniq.com.au
Wed Jul 24 07:14:10 UTC 2013
Hi Greg
It's not something like moving the rndc-key definition so that it is
before you include named.conf.local?
Otherwise there are example configs in the dhcpd.conf man page, scroll
down to DYNAMIC DNS section. The only difference I can see is that the key
does not have quotes around the value. Though if the forward map is
working then I don't think this would be the problem.
Can you update the zone using nsupdate and the key? This might give you a
better error message.
Another test is to temporarily configure bind to allow update from the
dhcp server's ip address. This will eliminate the key as a problem. Bind
seems to silently ignore updates which use the wrong key, so double check
the key is the same in named.conf and dhcpd.conf.
regards,
-glenn
named.conf
---
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
#512 bit key
key "rndc-key" {
On Wed, July 24, 2013 3:39 pm, Greg Sloop <gregs at sloop.net> wrote:
> I'm about to go insane. It's probably an obvious problem, but for the life
> of me, I can't find it.
>
> I'm trying to setup Bind9 + DHCPd + DDNS (forward and reverses)
> I've got DHCP working for multiple subnets etc, and doing BIND DDNS
> updates, at least for forward records.
>
> I get the following in the logs:
> ---
> Jul 23 20:17:17 dns-dhcp-01 dhcpd: Added new forward map from
> ABCD-R61.somedom.local to 10.1.0.221
> Jul 23 20:17:18 dns-dhcp-01 dhcpd: unable to add reverse map from
> 221.0.1.10.in-addr.arpa. to ABCD-R61.somedom.local: timed out
> ---
>
> Turning up the verbosity level in BIND to debug doesn't produce anything
> useful I can find. The DHCP logs don't shed any more light on things
> either.
> [Perhaps it does produce useful stuff but, if so, I can not find it.]
>
> Here's the environment.
> Ubuntu 12.04 [Running in a VM, with the eth interface bridged - though it
> shouldn't matter, it's VirtualBox]
> DHCPd 4.1-R4
> BIND 9.8.1-P1
> Both standard Ubuntu packages, installed from the Ubuntu repositories.
>
> Here are my configs:
> ---
> /etc/bind/named.conf.local
> ---
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> acl "local-nets" {
> 10.1.0.0/22;
> };
>
> acl "dns-dhcp-servers" {
> 10.1.0.5; 10.1.0.6;
> };
>
> zone "somedom.local" {
> type master;
> file "/var/lib/bind/somedom.local.hosts";
> // update-policy { grant rndc-key zonesub ANY; };
> allow-update { key rndc-key; };
> };
>
> zone "0.1.10.in-addr.arpa" {
> type master;
> file "/var/lib/bind/10.1.0.rev";
> //update-policy { grant rndc-key zonesub ANY; };
> allow-update { key rndc-key; };
> allow-query { any; };
> };
>
> zone "1.1.10.in-addr.arpa" {
> type master;
> file "/var/lib/bind/10.1.1.rev";
> //update-policy { grant rndc-key zonesub ANY; };
> allow-update { key rndc-key; };
> };
>
> zone "2.1.10.in-addr.arpa" {
> type master;
> file "/var/lib/bind/10.1.2.rev";
> //update-policy { grant rndc-key zonesub ANY; };
> allow-update { key rndc-key; };
> };
>
> logging {
> channel default_file {
> file "/var/log/named/default.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel general_file {
> file "/var/log/named/general.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel database_file {
> file "/var/log/named/database.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel security_file {
> file "/var/log/named/security.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel config_file {
> file "/var/log/named/config.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel resolver_file {
> file "/var/log/named/resolver.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel xfer-in_file {
> file "/var/log/named/xfer-in.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel xfer-out_file {
> file "/var/log/named/xfer-out.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel notify_file {
> file "/var/log/named/notify.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel client_file {
> file "/var/log/named/client.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel unmatched_file {
> file "/var/log/named/unmatched.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel queries_file {
> file "/var/log/named/queries.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel network_file {
> file "/var/log/named/network.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel update_file {
> file "/var/log/named/update.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel dispatch_file {
> file "/var/log/named/dispatch.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel dnssec_file {
> file "/var/log/named/dnssec.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
> channel lame-servers_file {
> file "/var/log/named/lame-servers.log" versions 3 size 5m;
> //severity dynamic;
> severity debug 3;
> print-time yes;
> };
>
> category default { default_file; };
> category general { general_file; };
> category database { database_file; };
> category security { security_file; };
> category config { config_file; };
> category resolver { resolver_file; };
> category xfer-in { xfer-in_file; };
> category xfer-out { xfer-out_file; };
> category notify { notify_file; };
> category client { client_file; };
> category unmatched { unmatched_file; };
> category queries { queries_file; };
> category network { network_file; };
> category update { update_file; };
> category dispatch { dispatch_file; };
> category dnssec { dnssec_file; };
> category lame-servers { lame-servers_file; };
> };
>
> ---
> The zone file for the problem zone above. [There are three zones, but I'm
> having the problem in this zone I haven't tested the others, but if I get
> this zone working, I'm sure the others will work too. So I'll just give
> this one zone.]
> *** /var/lib/bind/10.1.0.rev
> ---
> ;#/var/lib/bind/10.1.0.rev
> $ttl 38400
> 0.1.10.in-addr.arpa. IN SOA dns-dhcp-01. root.somedom.com. (
> 2013072301 ;serial
> 10800 ;slave-refresh, 3h
> 3600 ;slave-retry, update, 1h
> 604800 ;slave-expire, 7d
> 120 ;minimum [negative response TTL], 2m
> )
> 0.1.10.in-addr.arpa. IN NS dns-dhcp-01.somedom.local.
> 0.1.10.in-addr.arpa. IN NS dns-dhcp-02.somedom.local.
>
> ---
>
> *** The DHCPd.conf file
> ---
> authoritative;
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "SOMESECRET";
> };
>
> ddns-update-style interim;
> ddns-domainname "somedom.local";
>
> log-facility local7;
> log debug;
>
> option time-offset -18000; # Pacific Standard Time
> one-lease-per-client off;
>
> use-host-decl-names on;
> option ntp-servers time.somedom.local;
> option time-servers time.somedom.local;
> option domain-name-servers 10.1.0.5, 10.1.0.6;
> option domain-name "somedom.local";
> option netbios-name-servers 10.1.0.17;
> option routers 10.1.0.190;
>
> #1h lease
> default-lease-time 3600;
> max-lease-time 3600;
> option ip-forwarding off;
>
> zone somedom.local. {
> primary 10.1.0.5;
> key rndc-key;
> }
>
> zone 0.1.10.in-addr.arpa. {
> primary 10.1.0.5;
> key rndc-key;
> }
>
> zone 1.1.10.in-addr.arpa. {
> primary 10.1.0.5;
> key rndc-key;
> }
>
> zone 2.1.10.in-addr.arpa. {
> primary 10.1.0.5;
> key rndc-key;
> }
>
> # Subnet for internal hosts
> subnet 10.1.0.0 netmask 255.255.255.0 {
> option routers 10.1.0.190;
> option subnet-mask 255.255.255.0;
>
> # block unknowns for .60 - .113
> pool {
> range 10.1.0.60 10.1.0.113;
> allow unknown-clients;
> }
> # block unknowns for 10.1.0.114 - .115
> pool {
> range 10.1.0.114 10.1.0.114;
> deny unknown-clients;
> }
> # allow unknowns for 10.1.0.115 - .153
> pool {
> range 10.1.0.115 10.1.0.153;
> allow unknown-clients;
> }
> # block unknowns for 10.1.0.154 - .194
> pool {
> range 10.1.0.154 10.1.0.194;
> deny unknown-clients;
> }
> # allow unknowns for 10.1.0.195 - .222
> pool {
> range 10.1.0.195 10.1.0.222;
> allow unknown-clients;
> }
> # block unknowns for 10.1.0.223 - .254
> pool {
> range 10.1.0.223 10.1.0.254;
> deny unknown-clients;
> }
> }
>
> subnet 10.1.1.0 netmask 255.255.255.0 {
> option routers 10.1.1.1;
> option subnet-mask 255.255.255.0;
> pool {
> #failover peer "dhcp-failover";
> max-lease-time 14400;
> range 10.1.1.21 10.1.1.240;
> allow unknown-clients;
> }
> }
>
> subnet 10.1.2.0 netmask 255.255.255.0 {
> option routers 10.1.2.1;
> option subnet-mask 255.255.255.0;
> pool {
> #failover peer "dhcp-failover";
> max-lease-time 14400;
> range 10.1.2.50 10.1.2.250;
> allow unknown-clients;
> }
> }
>
>
> ---
> named.conf
> ---
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> #512 bit key
> key "rndc-key" {
> algorithm hmac-md5;
> secret "SOMESECRET";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
>
> inet 10.1.0.5 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
> ---
>
> To keep the clutter down, I won't give any more config files:
> But syntax checks of both the BIND and DHCPd config files is clean, and
> both BIND and DHCPd appear to load and run fine.
> The only problem I have is the failed [timed out] problem for creating the
> PTR record for the reverse.
>
> I've spent hours on this, looking the docs, examples, google-foo, and
> more.
> I'm quite sure it's something stupid, but as I said above, I can't find it
> and I'm desperate!
>
> TIA
> -Greg
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list