Tsig error with server tsig indicates error

I'm trying to update a name using nsupdate executed from within the name server itself but I receive the error message ; TSIG error with server: tsig indicates error. I created a key with dnssec-k...

I’m trying to update a name using nsupdate executed from within the name server itself but I receive the error message
; TSIG error with server: tsig indicates error.

I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom dyn.mydomain.com. and copied the secret into the named.conf.

My named.conf is as follows

key "dyn.mydomain.com." {
   algorithm hmac-md5;
   secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
};
zone "dyn.mydomain.com." {
   type master;
   file "/var/cache/bind/dyn.mydomain.com.hosts";
   allow-update {
       key "dyn.mydomain.com.";
   };
};

The file dyn.mydomain.com.hosts looks as follows:

$ORIGIN .
$TTL 8400       ; 2 hours 20 minutes
dyn.mydomain.com  IN SOA  ns. root. (
                           2007072513 ; serial
                           7200       ; refresh (2 hours)
                           900        ; retry (15 minutes)
                           1857600    ; expire (3 weeks 12 hours)
                           8400       ; minimum (2 hours 20 minutes)
                           )
                   NS      ns.dyn.mydomain.com.
$ORIGIN dyn.mydomain.com.
ns                      A       [ip of this name server]
$TTL 60 ; 1 minute

I restadt bind9, then use

nsupdate -v -d -k /etc/bind/Kdyn.mydomain.com.+157+53489.private
> server localhost
> zone dyn.mydomain.com
> update add test.dyn.mydomain.com IN A 80.80.80.80
> send

Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  50553
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyn.mydomain.com.                   IN      SOA

;; UPDATE SECTION:
test.dyn.mydomain.com.       60      IN      A       80.80.80.80

;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 16 5k3AkgLuCziNKtaeb39MRE== 50553 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  50553
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 0  50553 BADKEY 0

What can be the reason?

Источник

I’m trying to update a name using nsupdate executed from within the name server itself but I receive the error message
; TSIG error with server: tsig indicates error.

I created a key with dnssec-keygen -a hmac-md5 -b 512 -n HOST -r /dev/urandom dyn.mydomain.com. and copied the secret into the named.conf.

My named.conf is as follows

key "dyn.mydomain.com." {
   algorithm hmac-md5;
   secret "T2DjtGkGAzPAVrL6zar9GpxjNQ1iOjJzWKhPsF5gu0xQbaONhK7ZmC0n WKatgbGEHqla1uoxG3FdktQPolMIjQ==";
};
zone "dyn.mydomain.com." {
   type master;
   file "/var/cache/bind/dyn.mydomain.com.hosts";
   allow-update {
       key "dyn.mydomain.com.";
   };
};

The file dyn.mydomain.com.hosts looks as follows:

$ORIGIN .
$TTL 8400       ; 2 hours 20 minutes
dyn.mydomain.com  IN SOA  ns. root. (
                           2007072513 ; serial
                           7200       ; refresh (2 hours)
                           900        ; retry (15 minutes)
                           1857600    ; expire (3 weeks 12 hours)
                           8400       ; minimum (2 hours 20 minutes)
                           )
                   NS      ns.dyn.mydomain.com.
$ORIGIN dyn.mydomain.com.
ns                      A       [ip of this name server]
$TTL 60 ; 1 minute

I restadt bind9, then use

nsupdate -v -d -k /etc/bind/Kdyn.mydomain.com.+157+53489.private
> server localhost
> zone dyn.mydomain.com
> update add test.dyn.mydomain.com IN A 80.80.80.80
> send

Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  50553
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;dyn.mydomain.com.                   IN      SOA

;; UPDATE SECTION:
test.dyn.mydomain.com.       60      IN      A       80.80.80.80

;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 16 5k3AkgLuCziNKtaeb39MRE== 50553 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  50553
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
dyn.mydomain.com.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1325777156 300 0  50553 BADKEY 0

What can be the reason?

Источник

Detecting the errors and error sources with nsupdate

BIND is very strict about syntax and configuring and it does not forgive missing dot characters. The more complex a troubleshooting can be. nsupdate itself can already declare different errors. These ways and means for error limitation and elimination are to be addressed here.

Normally, send of nsupdate does not return if the update was successful.

NOTAUTH(BADKEY)

If you get an output like

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

then most of the time the cause lies in a faulty key or in the incorrect indication of the key. This can happen, for example, if an incorrect key name or the wrong algorithm was specified with the key command or the -k option.
An equivalent log message in /var/log/messages, /var/bind/security_info.log or journalctl looks like this:

22-Feb-2018 11:55:03.991 error: client 178.25.30.4#56421: request has invalid signature: TSIG ddns.example.org: tsig verify failure (BADKEY)

update failed: NOTAUTH

NOTAUTH means only «not authoritative». This means that, e.g. tries to change the local caching DNS. However, this happens quite unintentionally relatively easily in connection with a more extensive BIND configuration with, for example, views. The most common case may be that you just land in the wrong view. Here it may help to adjust the internal view.

update failed: REFUSED

Receiving the following error message from nsupdate to a send indicates either a misconfiguration of the parameters of the update-policy configuration option in the configuration file /etc/named.conf or /etc/bind/named.conf.local or an incorrect specification within nsupdate with respect to the DNS records being changed.

The log message is then usually as follows:

26-Feb-2018 17:58:14.244 info: client 178.174.206.155#39513/key ddns.example.org: updating zone ‘example.org/IN’: update failed: rejected by secure update (REFUSED)

req_response: request 0x74c62008: unexpected error

Here helps, what has already been mentioned elsewhere. BIND will create a .jnl file in the same directory if the respective zone file is successfully updated. As soon as the associated zone file is changed — even if it is just the serial number — this error occurs. Here it only helps to delete the .jnl file and provide the zone file with a new serial number, in order to then restart BIND.

Procedure for troubleshooting

Most of the time, nsupdate will provide the message first; Communication with server failed: timed out on. This can mean a lot, including the fact that because of a firewall the connection to the BIND server is denied. So, the first step is to check the open ports on the server:

# nmap dns.example.org
Starting Nmap 6.47 at 2018-02-27 09:43 CET
Nmap scan report for dns.example.org (178.65.12.2)
Host is up (0.038s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
53/tcp   open   domain
80/tcp   closed http
443/tcp  closed https
3128/tcp closed squid-http

Nmap done: 1 IP address (1 host up) scanned in 21.43 seconds

With the port scanner nmap can be very easily show which ports and especially if port 53 is open.

But also nsupdate offers further possibilities to provide more informative information. For example, options -v and -L 3 switch to verbose and debug level 3. In addition, show displays the current message, which contains all the prerequisites and updates since the last submission. While answer displays the answer.

# nsupdate -v -L 3 -k /etc/ssl/Kdyndns.example.org.+163+46242.private
27-Feb-2018 18:36:48.223 dns_requestmgr_create
27-Feb-2018 18:36:48.224 dns_requestmgr_create: 0x74d05f08
> server ns.example.org
> zone example.org
> update delete dyndns.example.org
> update add dndns.example.org 18000 A 84.189.213.55
> send
27-Feb-2018 18:37:28.194 dns_request_createvia
27-Feb-2018 18:37:28.194 request_render
27-Feb-2018 18:37:28.194 requestmgr_attach: 0x74d05f08: eref 1 iref 1
27-Feb-2018 18:37:28.194 mgr_gethash
27-Feb-2018 18:37:28.195 dns_request_createvia: request 0x74c48008
27-Feb-2018 18:37:28.230 req_connected: request 0x74c48008
27-Feb-2018 18:37:28.230 req_send: request 0x74c48008
27-Feb-2018 18:37:28.231 req_senddone: request 0x74c48008
27-Feb-2018 18:37:28.266 req_response: request 0x74c48008: unexpected error
27-Feb-2018 18:37:28.266 req_cancel: request 0x74c48008
27-Feb-2018 18:37:28.266 req_sendevent: request 0x74c48008
; Communication with server failed: unexpected error
27-Feb-2018 18:37:28.266 dns_request_destroy: request 0x74c48008
27-Feb-2018 18:37:28.266 req_destroy: request 0x74c48008
27-Feb-2018 18:37:28.266 requestmgr_detach: 0x74d05f08: eref 1 iref 0

Network traffic sniffing

However, reading the network traffic both on the Ethernet interface of the client and on the Ethernet card of the BIND server also helps to isolate the error. So listen to tcpdump here

tcpdump -vvveni eth0 port 53

not only eth0, but also filters out all data packets except the DNS service. With -vvv one receives an extremely detailed output, while -n leads a display of the IP and port numbers instead of names and -e provides for the display of the Ethernetaddresses.

Источник

hortimech wrote:

When you are changing between dns servers, are you running ‘samba_upgradedns’ and if you are, are you running it correctly ? add ‘—help’ to the command to see the various options.

samba_upgradedns —dns-backend=BIND9_DLZ

hortimech wrote:

Your version of Bind9 should be okay, there was a problem, but it was fixed in 4.12.x

Thank you.

hortimech wrote:

You could try using ‘—use-samba-tool’ with your ‘samba_dnsupdate’ command.

I attached the output — its different with —use-samba-tool:

———————————————————————————
# samba_dnsupdate —verbose —all-names —use-samba-tool
IPs: [‘192.168.178.204’]
force update: A dc1.intranet.example.com 192.168.178.204
force update: CNAME 085a9ea9-7f3a-4048-88ee-db948fa2975f._msdcs.intranet.example.com dc1.intranet.example.com
force update: NS intranet.example.com dc1.intranet.example.com
force update: NS _msdcs.intranet.example.com dc1.intranet.example.com
force update: A intranet.example.com 192.168.178.204
force update: SRV _ldap._tcp.intranet.example.com dc1.intranet.example.com 389
force update: SRV _ldap._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
force update: SRV _ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains._msdcs.intranet.example.com dc1.intranet.example.com 389
force update: SRV _kerberos._tcp.intranet.example.com dc1.intranet.example.com 88
force update: SRV _kerberos._udp.intranet.example.com dc1.intranet.example.com 88
force update: SRV _kerberos._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
force update: SRV _kpasswd._tcp.intranet.example.com dc1.intranet.example.com 464
force update: SRV _kpasswd._udp.intranet.example.com dc1.intranet.example.com 464
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 88
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
force update: SRV _ldap._tcp.pdc._msdcs.intranet.example.com dc1.intranet.example.com 389
force update: A gc._msdcs.intranet.example.com 192.168.178.204
force update: SRV _gc._tcp.intranet.example.com dc1.intranet.example.com 3268
force update: SRV _ldap._tcp.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
force update: A DomainDnsZones.intranet.example.com 192.168.178.204
force update: SRV _ldap._tcp.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
force update: A ForestDnsZones.intranet.example.com 192.168.178.204
force update: SRV _ldap._tcp.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc1.intranet.example.com as dc1$
update (samba-tool): A dc1.intranet.example.com 192.168.178.204
Calling samba-tool dns for A dc1.intranet.example.com 192.168.178.204 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘dc1’, ‘A’, ‘192.168.178.204’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[dc1]
Failed ‘samba-tool dns’ based update of A dc1.intranet.example.com 192.168.178.204
update (samba-tool): CNAME 085a9ea9-7f3a-4048-88ee-db948fa2975f._msdcs.intranet.example.com dc1.intranet.example.com
Calling samba-tool dns for CNAME 085a9ea9-7f3a-4048-88ee-db948fa2975f._msdcs.intranet.example.com dc1.intranet.example.com (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘085a9ea9-7f3a-4048-88ee-db948fa2975f’, ‘CNAME’, ‘dc1.intranet.example.com’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[085a9ea9-7f3a-4048-88ee-db948fa2975f]
Failed ‘samba-tool dns’ based update of CNAME 085a9ea9-7f3a-4048-88ee-db948fa2975f._msdcs.intranet.example.com dc1.intranet.example.com
update (samba-tool): NS intranet.example.com dc1.intranet.example.com
Calling samba-tool dns for NS intranet.example.com dc1.intranet.example.com (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘@’, ‘NS’, ‘dc1.intranet.example.com’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[@]
Failed ‘samba-tool dns’ based update of NS intranet.example.com dc1.intranet.example.com
update (samba-tool): NS _msdcs.intranet.example.com dc1.intranet.example.com
Calling samba-tool dns for NS _msdcs.intranet.example.com dc1.intranet.example.com (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘@’, ‘NS’, ‘dc1.intranet.example.com’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[@]
Failed ‘samba-tool dns’ based update of NS _msdcs.intranet.example.com dc1.intranet.example.com
update (samba-tool): A intranet.example.com 192.168.178.204
Calling samba-tool dns for A intranet.example.com 192.168.178.204 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘@’, ‘A’, ‘192.168.178.204’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[@]
Failed ‘samba-tool dns’ based update of A intranet.example.com 192.168.178.204
update (samba-tool): SRV _ldap._tcp.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _ldap._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.dc’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.dc]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains._msdcs.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains._msdcs.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.191857a8-808d-4410-b65e-64a0ff5b9386.domains._msdcs.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _kerberos._tcp.intranet.example.com dc1.intranet.example.com 88
Calling samba-tool dns for SRV _kerberos._tcp.intranet.example.com dc1.intranet.example.com 88 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_kerberos._tcp’, ‘SRV’, ‘dc1.intranet.example.com 88 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_kerberos._tcp]
Failed ‘samba-tool dns’ based update of SRV _kerberos._tcp.intranet.example.com dc1.intranet.example.com 88
update (samba-tool): SRV _kerberos._udp.intranet.example.com dc1.intranet.example.com 88
Calling samba-tool dns for SRV _kerberos._udp.intranet.example.com dc1.intranet.example.com 88 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_kerberos._udp’, ‘SRV’, ‘dc1.intranet.example.com 88 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_kerberos._udp]
Failed ‘samba-tool dns’ based update of SRV _kerberos._udp.intranet.example.com dc1.intranet.example.com 88
update (samba-tool): SRV _kerberos._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
Calling samba-tool dns for SRV _kerberos._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 88 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_kerberos._tcp.dc’, ‘SRV’, ‘dc1.intranet.example.com 88 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_kerberos._tcp.dc]
Failed ‘samba-tool dns’ based update of SRV _kerberos._tcp.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
update (samba-tool): SRV _kpasswd._tcp.intranet.example.com dc1.intranet.example.com 464
Calling samba-tool dns for SRV _kpasswd._tcp.intranet.example.com dc1.intranet.example.com 464 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_kpasswd._tcp’, ‘SRV’, ‘dc1.intranet.example.com 464 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_kpasswd._tcp]
Failed ‘samba-tool dns’ based update of SRV _kpasswd._tcp.intranet.example.com dc1.intranet.example.com 464
update (samba-tool): SRV _kpasswd._udp.intranet.example.com dc1.intranet.example.com 464
Calling samba-tool dns for SRV _kpasswd._udp.intranet.example.com dc1.intranet.example.com 464 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_kpasswd._udp’, ‘SRV’, ‘dc1.intranet.example.com 464 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_kpasswd._udp]
Failed ‘samba-tool dns’ based update of SRV _kpasswd._udp.intranet.example.com dc1.intranet.example.com 464
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp.Default-First-Site-Name._sites’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp.Default-First-Site-Name._sites]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.Default-First-Site-Name._sites.dc’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.Default-First-Site-Name._sites.dc]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 88
Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 88 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_kerberos._tcp.Default-First-Site-Name._sites’, ‘SRV’, ‘dc1.intranet.example.com 88 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_kerberos._tcp.Default-First-Site-Name._sites]
Failed ‘samba-tool dns’ based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 88
update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 88 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_kerberos._tcp.Default-First-Site-Name._sites.dc’, ‘SRV’, ‘dc1.intranet.example.com 88 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_kerberos._tcp.Default-First-Site-Name._sites.dc]
Failed ‘samba-tool dns’ based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.intranet.example.com dc1.intranet.example.com 88
update (samba-tool): SRV _ldap._tcp.pdc._msdcs.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.pdc._msdcs.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.pdc’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.pdc]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.pdc._msdcs.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): A gc._msdcs.intranet.example.com 192.168.178.204
Calling samba-tool dns for A gc._msdcs.intranet.example.com 192.168.178.204 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘gc’, ‘A’, ‘192.168.178.204’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[gc]
Failed ‘samba-tool dns’ based update of A gc._msdcs.intranet.example.com 192.168.178.204
update (samba-tool): SRV _gc._tcp.intranet.example.com dc1.intranet.example.com 3268
Calling samba-tool dns for SRV _gc._tcp.intranet.example.com dc1.intranet.example.com 3268 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_gc._tcp’, ‘SRV’, ‘dc1.intranet.example.com 3268 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_gc._tcp]
Failed ‘samba-tool dns’ based update of SRV _gc._tcp.intranet.example.com dc1.intranet.example.com 3268
update (samba-tool): SRV _ldap._tcp.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
Calling samba-tool dns for SRV _ldap._tcp.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.gc’, ‘SRV’, ‘dc1.intranet.example.com 3268 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.gc]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
update (samba-tool): SRV _gc._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 3268
Calling samba-tool dns for SRV _gc._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 3268 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_gc._tcp.Default-First-Site-Name._sites’, ‘SRV’, ‘dc1.intranet.example.com 3268 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_gc._tcp.Default-First-Site-Name._sites]
Failed ‘samba-tool dns’ based update of SRV _gc._tcp.Default-First-Site-Name._sites.intranet.example.com dc1.intranet.example.com 3268
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘_msdcs.intranet.example.com’, ‘_ldap._tcp.Default-First-Site-Name._sites.gc’, ‘SRV’, ‘dc1.intranet.example.com 3268 0 100’]
ERROR: Record already exist; record could not be added. zone[_msdcs.intranet.example.com] name[_ldap._tcp.Default-First-Site-Name._sites.gc]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.intranet.example.com dc1.intranet.example.com 3268
update (samba-tool): A DomainDnsZones.intranet.example.com 192.168.178.204
Calling samba-tool dns for A DomainDnsZones.intranet.example.com 192.168.178.204 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘DomainDnsZones’, ‘A’, ‘192.168.178.204’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[DomainDnsZones]
Failed ‘samba-tool dns’ based update of A DomainDnsZones.intranet.example.com 192.168.178.204
update (samba-tool): SRV _ldap._tcp.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp.DomainDnsZones’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp.DomainDnsZones]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): A ForestDnsZones.intranet.example.com 192.168.178.204
Calling samba-tool dns for A ForestDnsZones.intranet.example.com 192.168.178.204 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘ForestDnsZones’, ‘A’, ‘192.168.178.204’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[ForestDnsZones]
Failed ‘samba-tool dns’ based update of A ForestDnsZones.intranet.example.com 192.168.178.204
update (samba-tool): SRV _ldap._tcp.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp.ForestDnsZones’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp.ForestDnsZones]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389 (add)
Calling samba-tool dns add -k no -P [‘192.168.178.204’, ‘intranet.example.com’, ‘_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones’, ‘SRV’, ‘dc1.intranet.example.com 389 0 100’]
ERROR: Record already exist; record could not be added. zone[intranet.example.com] name[_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones]
Failed ‘samba-tool dns’ based update of SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.intranet.example.com dc1.intranet.example.com 389
Failed update of 29 entries

Источник

Содержание

  1. Dynamic DNS and DHCP — Easy to do, and you’ll thank yourself later
  2. What is Dynamic DNS?
  3. Dynamic DNS
  4. Create a dnssec key
  5. named.conf changes
  6. Testing with nsupdate
  7. DHCPD
  8. Dhcp tsig indicates error
  9. Implementation
  10. Examples
  11. CentOS
  12. DHCP and DNS on different machines, can’t make it work
  13. DHCP and DNS on different machines, can’t make it work
  14. Re: DHCP and DNS on different machines, can’t make it work
  15. Re: DHCP and DNS on different machines, can’t make it work
  16. Re: DHCP and DNS on different machines, can’t make it work
  17. Re: DHCP and DNS on different machines, can’t make it work
  18. Re: DHCP and DNS on different machines, can’t make it work
  19. Re: DHCP and DNS on different machines, can’t make it work
  20. Re: DHCP and DNS on different machines, can’t make it work
  21. Re: DHCP and DNS on different machines, can’t make it work
  22. Re: DHCP and DNS on different machines, can’t make it work

Dynamic DNS and DHCP — Easy to do, and you’ll thank yourself later

This article will cover how to setup dns with dynamic updates aswell as configuring your dhcp server to push updates to it aswell.

I assume you already know how to setup plain old dns aswell as plain old dhcp. This is not an introduction to either of those. I used BIND 9 and ISC DHCPD v3 for this article.

If there’s anything this article doesn’t cover with respect to what you are looking for, leave a comment and I’ll do what I can.

What is Dynamic DNS?

Dynamic DNS is the means by which to push new records into your dns server while it is running, without having to edit any zone files. It is quite often coupled with dhcp to provide dynamic network services that have hostnames follow the appropriate machines around.

Dynamic DNS

Setting up dynamic dns is pretty straight forward. To do it securely, you need to first create a secret key. This secret key will be used to authenticate our dns update clients with the dns server. Luckily for us, there’s a tool that’ll do that for us.

Create a dnssec key

That tool is called dnssec-keygen . Don’t feel like reading the manpage? Fine. dnssec-keygen is a tool to create dnssec keys, much like ssh-keygen creates ssh keys. Pick a name for your key, it can be any name. I usually name it appropriately. For this example, I will call our key dhcpupdate.

Create the key as such:

This will create a 128bit HMAC-MD5 keyfile called dhcpupdate.

The output is the file prefix. If you do ls Kdhcpupdate* you will see two files. The .key file is most useful, in my opinion. Looking at the .key file:

No, that is not the key I use. No, you shouldn’t use that key for your server 😉

The last token in that file is the key (N8Hk…). Keep that secret. Forever.

named.conf changes

The updates to named.conf are pretty straightforward. For every zone you want to allow dynamic updates (for this specific key), you need to add an allow-update section. First, you’ll want to add a key section. The following goes in the global portion of your named.conf :

Simple enough. Just remember that it goes in quotes!

Next, we need to add allow-update entries to all zones we would like to update. Let’s say I have two zones:

In my named.conf, I’ll want to add the following to those zone declarations:

That’s all we have to do. Restart named and you should be able to push updates dynamically to the dns server.

Testing with nsupdate

nsupdate is the tool we’ll be using to test if we have setup the server correctly. nsupdate takes commands like nslookup does, if run without arguments:

The following commands are good to know:

  • server [server address] Sets the target server for who to send updates
  • key [keyname] [secret] Tell nsupdate what your key is
  • zone [zonename] Explicitly choose a zone to send updates for. If unspecified, nsupdate will guess.
  • update [. ] Request an update to record
  • send Send updates
  • show Show updates that haven’t been sent

update will not update the dns server automatically. It will queue the update request until you tell nsupdate to send .

For this example, my dns server is dns.home :

If all goes well, there will be nothing printed after you type send . Let’s check that we’ve added it!

You can delete entries from dns with (for example):

However, if something went wrong:

update failed: NOTZONE

The above message means you didn’t specify a hostname the dns server has zone information for. Make sure you’re using a full domain name. That is, do not use happynode. Use happynode.home.

The above message means you are providing the wrong key, or the server is refusing your key for another reason.

The number one cause for this error (for me) is permissions in the directory of your zonefile. Dynamic updates will create a journal file as: /etc/namedb/home/home.jnl (or wherever your zonefile is). If the user named is running as cannot create files in /etc/namedb/home then it will fail. This error should show up as ‘permission denied’ errors in the logs with a reference to what file it is trying to create.

Worst case, run named with a high debug level. Also, don’t reload named, restart named when debugging. Reloading doesn’t reinitialize some things.

DHCPD

A few minor changes are necesary to your dhcpd.conf (isc dhcp3 server). First, in the global portion:

Furthermore, you need to tell dhcpd.conf about the dnssec key and zone information. The following still goes in your dhcpd.conf:

NOTE! Notice that the secret is entered WITHOUT QUOTES. Doing so with quotes is a syntax error. If you see errors about invalid base64 characters, this is likely the reason.

The primary values are the primary dns server entries so dhcpd knows where to send updates. In this case, my primary dns is dns.home . Yours will obviously vary, as your key should vary.

Next, I’ll show you a few different examples.

Источник

Dhcp tsig indicates error

RFC 2845: Secret Key Transaction Authentication for DNS (TSIG) defines a method to authenticate DNS messages that are exchanged between two parties, provided they share a secret in advance.

This is relevant for certain critical DNS messages like zone transfers or dynamic updates, that have the potential of changing the information in the DNS and have thus a strong need to be protected. Of course TSIG does not prevent an attacker from injecting bogus or malicious information in such messages, but it makes it possible to detect the tampering or forgery at the receiver.
Another place where TSIG could be used (but it’s almost never used) is to protect communication between a stub resolver and its recursive DNS server. Furthermore, the Bind DNS server uses TSIG (or something very similar, given that it’s configured in the same way) to authenticate the communications with the rndc control program (usually on TCP port 953).

An important point is that TSIG protects communication between two parties, which makes it not very scalable when the number of communicating servers grows, as a key for each possible pair of communicating servers would be needed (that means, with N servers, a number of keys in the order of N 2 on each host). However, when only two or a small number of parties are involved, TSIG is a good solution.

Essentially, the two communicating parties must share a secret (that should have been put in place in advance, of course in some secure way). When the shared secret is configured at both ends, it can be used to calculate an HMAC digest of the messages. The sender calculates the HMAC and adds it to the message; the receiver recalculates the HMAC independently and then compares it with the one it received included in the message. If the two values match, it can safely be assumed that the message is coming from the intended sender. (Well, strictly speaking all that can be assumed is that the message comes from some entity that knows the same secret key; if the key is secret as it should be, that means that it must be from the intended partner).

Implementation

In practice, TSIG is implemented as a «meta-RR», meaning that it appears in messages exchanged on the wire, but it does not appear in any zone file (which makes sense, given that it is something that must be calculated on the fly for each message sent). The RR includes, among other things, the name of the key used to calculate the HMAC, the algorithm used (currently only hmac-md5 seems to be supported/used), a timestamp to protect against replay attacks, and the HMAC itself. Note that the presence of a timestamp implies a good synchronization between the parties’ clocks. The key name can be anything, as long as it matches the name of a key configured at both ends. The RFC suggests using a name that can be easily associated to the pair of servers using the key, like ; in the examples here we will be a bit more liberal.

Some rules to follow are:

  • If a TSIG RR is present, then it must be the last RR in the additional section;
  • If a request contains a TSIG, the response (if one is to be sent) must be signed, and must be signed with the same key;
  • If a request contained a TSIG, that must be included in the data covered by the response HMAC. For the client to be able to verify the response, it must thus store the original request HMAC until the answer is received;
  • Forwarding-only servers should pass the TSIG unchanged to their upstream servers. This makes it possible to have end-to-end TSIGs when forwarding servers are present in the path.

Examples

Resolver queries

Here is an example with dig communicating with a recursive resolver. On the recursive resolver (Bind here), a TSIG key is configured:

The value of the secret key must always be written base64-encoded. In this case, the secret key is «foobar», as anybody can check by feeding the strings to «base64 -d». Obviously, it’s surely better to use a stronger password. One way is to use as described here.

The dig resolver allows to specify the key either in a file or directly on the command line, which is what’s shown here for simplicity:

In this case, the TSIG signatures were correct. Here’s what happens if we supply the wrong key and the verification fails:

And in the server’s log:

Zone transfer

For zone transfers, a configuration like the following is used (assuming 10.10.0.10 and 10.10.0.20 are the mater and the slave respectively):

Each server is configured to sign messages to the peer, and the two allow- directives do what the name suggests, ie allow the action only if the message is signed with the specified key. So the slave accepts NOTIFY messages only if signed with the key (thus only from the master), and the master allows zone transfer requests only if signed with the key (thus only from the slave).

Dynamic DNS updates

A similar situation occurs when the TSIG key is used to protect dynamic DNS updates, such as when the dhcp server issues a new lease; the dhcp daemon must be configured with the secret key so its updates can be authenticated by the DNS server. Here is an example with ISC dhcpd:

And on the server (Bind):

When client baz gets its configuration via DHCP, the DNS records are created automatically:

Источник

CentOS

The Community ENTerprise Operating System

DHCP and DNS on different machines, can’t make it work

DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/18 23:20:37

edit: ugh guys, i give up i don’t understand Linux enough to do this :/ thanks again.
edit2: Ok, i figured it out. Issue was: i couldn’t ping from my servers the desktop clients via DHCP. I just tried to run before i could walk *facepalm*. Basically i just read what i could possibly read about how DyDNS works with DHCP, the basics anyway. Let’s see if it actually updates my files.

*removed the codes as it was just utter horsesh*t, lol, too embarassed to leave it, sry. *

Re: DHCP and DNS on different machines, can’t make it work

Post by Whoever » 2021/12/19 04:45:54

A couple of notes:

bind doesn’t update the db file until something triggers it — it uses a journal file. Simply adding a host won’t cause it to update the «db» file. Run the following command on the server that runs bind:

Check your logs. search for «dhcpd» on the dhcp server in /var/log/messages and «named» on the in the same file name on the bind server.

I believe that this is wrong, but I don’t think it should affect forward name addition and resolution:

You need to fully qualify «DNS».

I don’t know what the «zone» statements are doing in your dhcpd.conf. Your subnet command needs to have something like:

Re: DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/19 09:53:43

It’s the same since December 13th.

and last 200 lines for «named»:

It doesn’t return any error, fqdn or not. I don’t get it, lol.

and lastly, i’ve added these lines in dhcpd.conf

As for the zone statements, i don’t know what to tell you, my trainer told me to do it this way. They’re still there though, should i remove them ?

edit: forgot the trailing dots. Shouldn’t I also include this line ?

Re: DHCP and DNS on different machines, can’t make it work

Post by TrevorH » 2021/12/19 13:41:46

Re: DHCP and DNS on different machines, can’t make it work

Post by Whoever » 2021/12/19 16:36:09

This implies the rndc.key isn’t the same on both machines, or, perhaps, the time is not correct on both machines.

As Trevor suggested, see if you can use nsupdate to update the DNS zone. First do this on the bind server, then, if this works, on the dhcp server.

Re: DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/19 16:46:36

Re: DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/19 16:50:03

This implies the rndc.key isn’t the same on both machines, or, perhaps, the time is not correct on both machines.

As Trevor suggested, see if you can use nsupdate to update the DNS zone. First do this on the bind server, then, if this works, on the dhcp server.

Re: DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/19 18:44:15

Ugh guys, i give up i don’t understand Linux enough to do this :/ thanks again!

You can delete the thread ;_; i’m done.

Re: DHCP and DNS on different machines, can’t make it work

Post by usr456 » 2021/12/20 18:09:17

OMG, i think i did it! YES!
I’ve just been configuring named.conf all wrong. Like, not configuring at ALL, lol!

I just put the named.conf.local back to default. I generated a new rndc.key and this time, properly put it in named.conf and carefully reconfigured dhcpd.conf.
I hadn’t even put the «controls» statement to allow my DHCP server to edit the records.

Well i don’t want to count my chickens yet, but if i can ping from any of my servers to the clients by their hostnames and vice-versa ( i coudn’t, which was my main issue to begin with), doesn’t it mean i’m on the right track ?

I don’t really understand the difference between named.conf and named.conf.local though.

Re: DHCP and DNS on different machines, can’t make it work

Post by TrevorH » 2021/12/20 19:23:24

Источник

Источник
  • 17 April, 2006


  • article
     

Preface

This article will cover how to setup dns with dynamic updates aswell as
configuring your dhcp server to push updates to it aswell.

I assume you already know how to setup plain old dns aswell as plain old
dhcp. This is not an introduction to either of those. I used BIND 9 and
ISC DHCPD v3 for this article.

If there’s anything this article doesn’t cover with respect to what you
are looking for, leave a comment and I’ll do what I can.

What is Dynamic DNS?

Dynamic DNS is the means by which to push new records into your dns
server while it is running, without having to edit any zone files. It is
quite often coupled with dhcp to provide dynamic network services that
have hostnames follow the appropriate machines around.

Dynamic DNS

Setting up dynamic dns is pretty straight forward. To do it securely, you
need to first create a secret key. This secret key will be used to
authenticate our dns update clients with the dns server. Luckily for us,
there’s a tool that’ll do that for us.

Create a dnssec key

That tool is called dnssec-keygen. Don’t feel like reading
the manpage? Fine. dnssec-keygen is a tool to create dnssec
keys, much like ssh-keygen creates ssh keys. Pick a name for your key,
it can be any name. I usually name it appropriately. For this example, I
will call our key dhcpupdate.

Create the key as such:

% dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate
Kdhcpupdate.+157+14638

This will create a 128bit HMAC-MD5 keyfile called dhcpupdate.

The output is the file prefix. If you do ls Kdhcpupdate*
you will see two files. The .key file is most useful, in my opinion.
Looking at the .key file:

dhcpupdate. IN KEY 0 3 157 N8Hk2RUFO84bEVl3uGTD2A==

No, that is not the key I use. No, you shouldn’t use that key for your
server ;)

The last token in that file is the key (N8Hk…). Keep that
secret. Forever.

named.conf changes

The updates to named.conf are pretty straightforward. For every zone you
want to allow dynamic updates (for this specific key), you need to add
an allow-update section. First, you’ll want to add a
key section. The following goes in the global portion of
your named.conf:

key dhcpupdate {
algorithm hmac-md5;
secret "YOURKEYGOESHERE";
# example:
# secret "N8Hk2RUFO84bEVl3uGTD2A==";
};

Simple enough. Just remember that it goes in quotes!

Next, we need to add allow-update entries to all zones we
would like to update. Let’s say I have two zones:

  • home
  • 0.168.192.in-addr.arpa

In my named.conf, I’ll want to add the following to those zone
declarations:

allow-update { key dhcpupdate; };

For example:

zone "home" {
    type master;
    file "master/db-home"
    allow-update { key dhcpupdate; };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "master/db-home_rev";
    allow-update { key dhcpupdate; };
};

That’s all we have to do. Restart named and you should be able to push
updates dynamically to the dns server.

Testing with nsupdate

nsupdate is the tool we’ll be using to test if we have setup the server
correctly. nsupdate takes commands like nslookup does, if run without
arguments:

% nsupdate
>

The following commands are good to know:

  • server [server address] Sets the target server for who to send updates
  • key [keyname] [secret] Tell nsupdate what your key is
  • zone [zonename] Explicitly choose a zone to send updates for. If unspecified, nsupdate will guess.
  • update [...] Request an update to record
  • send Send updates
  • show Show updates that haven’t been sent

update will not update the dns server automatically. It will queue the update request until you tell nsupdate to send.

For this example, my dns server is dns.home:

% nsupdate
> server dns.home
> key dhcpupdate N8Hk2RUFO84bEVl3uGTD2A==
> zone home
> update add 50.0.168.192.in-addr.arpa 600 IN PTR happynode.home.
> send
> update add happynode.home. 600 IN A 192.168.0.50
> send

If all goes well, there will be nothing printed after you type
send. Let’s check that we’ve added it!

% host happynode.home
happynode.home has address 192.168.0.50
% host 192.168.0.50
50.0.168.192.in-addr.arpa domain name pointer happynode.home.

You can delete entries from dns with (for example):

update delete happynode.home

However, if something went wrong:

update failed: NOTZONE

The above message means you didn’t specify a hostname the dns server has zone information for. Make sure you’re using a full domain name. That is, do not use happynode. Use happynode.home.

; TSIG error with server: tsig indicates error<br>
update failed: NOTAUTH(BADSIG)

The above message means you are providing the wrong key, or the server is refusing your key for another reason.

update failed: SERVFAIL

The number one cause for this error (for me) is permissions in the directory of your zonefile. Dynamic updates will create a journal file as: /etc/namedb/home/home.jnl (or wherever your zonefile is). If the user named is running as cannot create files in /etc/namedb/home then it will fail. This error should show up as ‘permission denied’ errors in the logs with a reference to what file it is trying to create.

Worst case, run named with a high debug level. Also, don’t reload
named, restart named when debugging. Reloading doesn’t reinitialize
some things.

DHCPD

A few minor changes are necesary to your dhcpd.conf (isc dhcp3 server). First, in the global portion:

ddns-update-style interim;

# If you have fixed-address entries you want to use dynamic dns
update-static-leases on;

Furthermore, you need to tell dhcpd.conf about the dnssec key and zone information. The following still goes in your dhcpd.conf:

key dhcpupdate {
    algorithm hmac-md5
    secret N8Hk2RUFO84bEVl3uGTD2A==;
}

zone 0.168.192.in-addr.arpa {
    primary dns.home;
    key dhcpupdate;
}

zone 10.168.192.in-addr.arpa {
    primary dns.home;
    key dhcpupdate;
}

zone home {
    primary dns;
    key dhcpupdate;
}

NOTE! Notice that the secret is entered WITHOUT QUOTES. Doing so with quotes is a syntax error. If you see errors about invalid base64 characters, this is likely the reason.

The primary values are the primary dns server entries so dhcpd knows where to send updates. In this case, my primary dns is dns.home. Yours will obviously vary, as your key should vary.

Next, I’ll show you a few different examples.

Sample entry without fixed-address (roamer)

host happylaptop {
    hardware ethernet 00:0a:39:22:da:39;
    option host-name "happylaptop";
    option domain-name "home";
    ddns-hostname "happylaptop";
    ddns-domain-name "home";
}

When happylaptop requests an address via dhcp, the dhcp server will tell the dns server. Specifically, it will push forward (A) and reverse (PTR) lookup entries. Excellent. Now I can access my laptop from the network without having to lookup, find, or discover it’s IP address, becuase I can simply point at happylaptop.home and it resolves to my laptop, wherever it is.

Sample entry set with ‘group’

group {
    option domain-name "home";
    ddns-domainname "home";

    host happylaptop {
        hardware ethernet 00:0a:39:22:da:39;
        option host-name "happylaptop";
        ddns-hostname "happylaptop";
    }

    host dellstation  {
        hardware ethernet 00:b1:48:2a:ad:9c;
        option host-name "dellstation";
        ddns-hostname "dellstation";
    }
}

Sample fixed-address

host jukebox {
    hardware ethernet 01:d0:06:b8:68:34;
    fixed-address 192.168.0.5;
    ddns-hostname "jukebox";
    ddns-domain-name "home";
    option host-name "jukebox";
    option domain-name "home";
}

That should be a decent set of examples.

dhcpd.conf caveats

  1. The option, use-host-decl-names does NOTHING (it seems?) to aid in automatic specification of ddns-hostname. This is weird. If you find otherwise, let me know.
  2. You must specify ddns-hostname and ddns-domainame. dhcpd will not “figure it
    out” if you just specify host-name and domain-name.
  3. I don’t know how to get dynamic-generated roamer addresses working, if it’s possible. That is, I want to specify a range of roamers in 192.168.0.160/27, and want dhcpd to autogenerate dns names for those based on a given pattern. Possible? Perhaps not.
Источник

Понравилась статья? Поделить с друзьями:
  • Tsgame exe ошибка приложения
  • Tsc ошибка наличия риббона
  • Tsa ошибка хонда crv
  • Tsa на хонде что это ошибка
  • True error sans