isc-dhcp-server not updating BIND9 - REFUSED
by eusono from LinuxQuestions.org on (#50CAW)
Hi everyone,
I currently have a single Ubuntu18.04 server that is running both BIND and isc-dhcp-server. Each individual service is running properly -- I can manually add DNS records and resolve them forward and reverse without issue, and DHCP is working correctly. My next step here is to get isc-dhcp-server to do DDNS with BIND so that I can use DNS for DHCP devices, and I can't seem to get this working.
I've followed a few guides, and here's what I have so far.
/etc/bind/ddns.key
-rw-r----- 1 root bind 78 Mar 6 22:15 ddns.key
Code:key DDNS_UPDATE {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "gyM3iUJ8hJJzTdZyXIPaWw==";
};/etc/dhcp/ddns.key
-rw-r----- 1 root root 78 Mar 6 22:14 ddns.key
Code:key DDNS_UPDATE {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "gyM3iUJ8hJJzTdZyXIPaWw==";
};named.conf.options
Code:include "/etc/bind/ddns.key";
// Tells the nameserver who to allow updates from, with what keys
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { DDNS_UPDATE; };
};
options {
directory "/var/cache/bind";
recursion yes; # enables recursive queries
allow-recursion { 172.29.0.0/16; 127.0.0.1; localhost; }; # allows recursive queries from any cleasink.net internal subnet listen-on { 172.29.140.10; 127.0.0.1; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
8.8.8.8;
8.8.4.4;
75.75.75.75;
75.75.76.76;
};
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};named.conf.local file
Code:zone "home.cleasink.net" {
type master;
notify no;
file "/etc/bind/zones/db.home.cleasink.net"; # zone file path
allow-update { key DHCP_UPDATE; };
};
// Reverse Lookup Zones
zone "29.172.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/zones/db.172.29"; # 172.29.0.0/16 subnet
allow-update { key DHCP_UPDATE; };
};dhcpd.conf file
Code:# dhcpd.conf
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# option definitions common to all supported networks...
option domain-name "home.cleasink.net";
option domain-name-servers 172.29.140.10;
ddns-updates on;
ignore client-updates;
update-static-leases on;
ddns-rev-domainname "in-addr.arpa.";
deny client-updates;
do-forward-updates on;
update-optimization off;
update-conflict-detection off;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
include "/etc/dhcp/ddns.key";
# home.cleasink.local DNS Zone
zone home.cleasink.net. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
# 29.172.in-arpa DNS Zone
zone 29.172.in-arpa. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
# Subnet Declarations -- No service provided... just understanding the topology
subnet 172.29.3.0 netmask 255.255.255.0 {
}
subnet 172.29.5.0 netmask 255.255.255.0 {
}
subnet 172.29.120.0 netmask 255.255.255.0 {
}
subnet 172.29.130.0 netmask 255.255.255.0 {
}
subnet 172.29.140.0 netmask 255.255.255.0 {
}
subnet 172.29.160.0 netmask 255.255.255.0 {
}
# IPv4 Scopes
subnet 172.29.3.0 netmask 255.255.255.0 {
range 172.29.3.150 172.29.3.200;
option routers 172.29.3.254;
option broadcast-address 172.29.3.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.5.0 netmask 255.255.255.0 {
range 172.29.5.220 172.29.5.229;
option routers 172.29.5.254;
option broadcast-address 172.29.5.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.120.0 netmask 255.255.255.0 {
range 172.29.120.150 172.29.120.200;
option routers 172.29.120.254;
option broadcast-address 172.29.120.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.130.0 netmask 255.255.255.0 {
range 172.29.130.150 172.29.130.200;
option routers 172.29.130.254;
option broadcast-address 172.29.130.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
# primary 172.29.140.10;
# key DHCP_UPDATER;
}
subnet 172.29.140.0 netmask 255.255.255.0 {
range 172.29.140.150 172.29.140.200;
option routers 172.29.140.254;
option broadcast-address 172.29.140.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.160.0 netmask 255.255.255.0 {
range 172.29.160.150 172.29.160.200;
option routers 172.29.160.254;
option broadcast-address 172.29.160.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
# Hosts with special configurations
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Reservations
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.example.com;
#1G1G
When I join connect a new host to the network, here is the entry in journalctl that I get from dhcpd
Code:Mar 06 22:28:43 srv01 named[7156]: client @0x7fd3c40b84a0 127.0.0.1#58191/key ddns_update: update 'home.cleasink.net/IN' denied
Mar 06 22:28:43 srv01 dhcpd[7111]: Unable to add forward map from AP01-Basement.home.cleasink.net. to 172.29.160.151: REFUSEDIt feels like I must be missing something really stupid here. Can anyone help me out?
I currently have a single Ubuntu18.04 server that is running both BIND and isc-dhcp-server. Each individual service is running properly -- I can manually add DNS records and resolve them forward and reverse without issue, and DHCP is working correctly. My next step here is to get isc-dhcp-server to do DDNS with BIND so that I can use DNS for DHCP devices, and I can't seem to get this working.
I've followed a few guides, and here's what I have so far.
/etc/bind/ddns.key
-rw-r----- 1 root bind 78 Mar 6 22:15 ddns.key
Code:key DDNS_UPDATE {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "gyM3iUJ8hJJzTdZyXIPaWw==";
};/etc/dhcp/ddns.key
-rw-r----- 1 root root 78 Mar 6 22:14 ddns.key
Code:key DDNS_UPDATE {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "gyM3iUJ8hJJzTdZyXIPaWw==";
};named.conf.options
Code:include "/etc/bind/ddns.key";
// Tells the nameserver who to allow updates from, with what keys
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { DDNS_UPDATE; };
};
options {
directory "/var/cache/bind";
recursion yes; # enables recursive queries
allow-recursion { 172.29.0.0/16; 127.0.0.1; localhost; }; # allows recursive queries from any cleasink.net internal subnet listen-on { 172.29.140.10; 127.0.0.1; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
8.8.8.8;
8.8.4.4;
75.75.75.75;
75.75.76.76;
};
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};named.conf.local file
Code:zone "home.cleasink.net" {
type master;
notify no;
file "/etc/bind/zones/db.home.cleasink.net"; # zone file path
allow-update { key DHCP_UPDATE; };
};
// Reverse Lookup Zones
zone "29.172.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/zones/db.172.29"; # 172.29.0.0/16 subnet
allow-update { key DHCP_UPDATE; };
};dhcpd.conf file
Code:# dhcpd.conf
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# option definitions common to all supported networks...
option domain-name "home.cleasink.net";
option domain-name-servers 172.29.140.10;
ddns-updates on;
ignore client-updates;
update-static-leases on;
ddns-rev-domainname "in-addr.arpa.";
deny client-updates;
do-forward-updates on;
update-optimization off;
update-conflict-detection off;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
include "/etc/dhcp/ddns.key";
# home.cleasink.local DNS Zone
zone home.cleasink.net. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
# 29.172.in-arpa DNS Zone
zone 29.172.in-arpa. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
# Subnet Declarations -- No service provided... just understanding the topology
subnet 172.29.3.0 netmask 255.255.255.0 {
}
subnet 172.29.5.0 netmask 255.255.255.0 {
}
subnet 172.29.120.0 netmask 255.255.255.0 {
}
subnet 172.29.130.0 netmask 255.255.255.0 {
}
subnet 172.29.140.0 netmask 255.255.255.0 {
}
subnet 172.29.160.0 netmask 255.255.255.0 {
}
# IPv4 Scopes
subnet 172.29.3.0 netmask 255.255.255.0 {
range 172.29.3.150 172.29.3.200;
option routers 172.29.3.254;
option broadcast-address 172.29.3.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.5.0 netmask 255.255.255.0 {
range 172.29.5.220 172.29.5.229;
option routers 172.29.5.254;
option broadcast-address 172.29.5.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.120.0 netmask 255.255.255.0 {
range 172.29.120.150 172.29.120.200;
option routers 172.29.120.254;
option broadcast-address 172.29.120.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.130.0 netmask 255.255.255.0 {
range 172.29.130.150 172.29.130.200;
option routers 172.29.130.254;
option broadcast-address 172.29.130.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
# primary 172.29.140.10;
# key DHCP_UPDATER;
}
subnet 172.29.140.0 netmask 255.255.255.0 {
range 172.29.140.150 172.29.140.200;
option routers 172.29.140.254;
option broadcast-address 172.29.140.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
subnet 172.29.160.0 netmask 255.255.255.0 {
range 172.29.160.150 172.29.160.200;
option routers 172.29.160.254;
option broadcast-address 172.29.160.255;
ddns-domainname "home.cleasink.net.";
ddns-rev-domainname "in-addr.arpa.";
}
# Hosts with special configurations
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Reservations
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.example.com;
#1G1G
When I join connect a new host to the network, here is the entry in journalctl that I get from dhcpd
Code:Mar 06 22:28:43 srv01 named[7156]: client @0x7fd3c40b84a0 127.0.0.1#58191/key ddns_update: update 'home.cleasink.net/IN' denied
Mar 06 22:28:43 srv01 dhcpd[7111]: Unable to add forward map from AP01-Basement.home.cleasink.net. to 172.29.160.151: REFUSEDIt feels like I must be missing something really stupid here. Can anyone help me out?