Thanks Mark (& Darren & Jan-Piet),

So I made those changes you suggested (Mark), but I'm still having issues (ie DHCP leases are not being added to the DNS zones), so I've included my Bind9 config:

~~~

acl "bogusnets" {
    !"internal_hosts";
    0.0.0.0/8;
    10.0.0.0/8;
    172.16.0.0/12;
    192.0.2.0/24;
    192.168.0.0/16;
    224.0.0.0/3;
};
acl "internal_hosts" {
    192.168.1.0/24;
    192.168.2.0/24;
};
acl "secondary_external_servers" {
    192.168.1.1/32;
    192.168.1.2/32;
};
acl "secondary_internal_servers" {
    192.168.2.1/32;
    192.168.2.2/32;
};
acl "servers_ddns" {
    "localhost";
    192.168.2.3/32;
};
acl "servers_rndc" {
    "localhost";
    192.168.2.3/32;
};
acl "stats_hosts" {
    192.168.2.0/24;
};
controls {
    inet 0.0.0.0 port 953 allow {
        "servers_rndc";
    } keys {
        "rndc.key";
    };
};
logging {
    channel "auth_servers_log" {
        file "/var/log/named/auth_servers.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "client_security_log" {
        file "/var/log/named/client_security.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "default_log" {
        file "/var/log/named/default.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "default_debug_log" {
        file "/var/log/named/default_debug.log" versions 3 size 512000 suffix timestamp;
        severity dynamic;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "ddns_log" {
        file "/var/log/named/ddns.log" versions 3 size 512000 suffix timestamp;
        severity debug 1;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "dnssec_log" {
        file "/var/log/named/dnssec.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "queries_log" {
        file "/var/log/named/queries.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "query_errors_log" {
        file "/var/log/named/query_errors.log" versions 3 size 512000 suffix timestamp;
        severity dynamic;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    channel "zone_transfers_log" {
        file "/var/log/named/zone_transfers.log" versions 3 size 512000 suffix timestamp;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    category "client" {
        "client_security_log";
        "default_debug";
    };
    category "dnssec" {
        "dnssec_log";
        "default_debug";
    };
    category "default" {
        "default_syslog";
        "default_debug";
        "default_log";
    };
    category "delegation-only" {
        "auth_servers_log";
        "default_debug";
    };
    category "edns-disabled" {
        "auth_servers_log";
        "default_debug";
    };
    category "lame-servers" {
        "auth_servers_log";
        "default_debug";
    };
    category "notify" {
        "zone_transfers_log";
        "default_debug";
    };
    category "resolver" {
        "auth_servers_log";
        "default_debug";
    };
    category "security" {
        "client_security_log";
        "default_debug";
    };
    category "update" {
        "ddns_log";
        "default_debug";
    };
    category "update-security" {
        "ddns_log";
        "default_debug";
    };
    category "xfer-in" {
        "zone_transfers_log";
        "default_debug";
    };
    category "xfer-out" {
        "zone_transfers_log";
        "default_debug";
    };
};
options {
    blackhole {
        "bogusnets";
    };
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    flush-zones-on-shutdown yes;
    managed-keys-directory "/var/named/dynamic";
    memstatistics yes;
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    statistics-file "/var/named/data/named_stats.txt";
    version "Not Currently Available";
    disable-algorithms "." {
        "RSAMD5";
        "RSASHA1";
        "NSEC3RSASHA1";
        "DSA";
    };
    disable-ds-digests "." {
        "SHA-1";
        "GOST";
    };
    recursion no;
    allow-query {
        "localhost";
    };
    allow-transfer {
        "secondary_external_servers";
        "secondary_internal_servers";
    };
    multi-master no;
    zone-statistics yes;
};
primaries "servers_primaries" {
    192.168.2.3;
};
statistics-channels {
    inet 0.0.0.0 port 8080 allow {
        "stats_hosts";
    };
};
key "update.key" {
    algorithm "hmac-sha512";
    secret "????????????????????????????????????????????????????????????????????????????????????????";
};
key "rndc.key" {
    algorithm "hmac-sha512";
    secret "????????????????????????????????????????????????????????????????????????????????????????";
};
server 192.168.1.1/32 {
    keys "update.key";
};
server 192.168.1.2/32 {
    keys "update.key";
};
server 192.168.2.1/32 {
    keys "update.key";
};
server 192.168.2.2/32 {
    keys "update.key";
};
server 192.168.2.3/32 {
    keys "update.key";
};
zone "example.com" in {
    type primary;
    file "zones/primary.example.com.zone";
    update-policy {
        grant "update.key" name "_acme-challenge.example.com" "TXT";
    };
    allow-transfer {
        !{
            !"secondary_external_servers";
            "any";
        };
        key "update.key.";
    };
    dnssec-policy "default";
};
zone "1.168.192.IN-ADDR.ARPA" in {
    type primary;
    file "zones/primary.192.168.1.rev.zone";
    allow-transfer {
        !{
            !"secondary_internal_servers";
            "any";
        };
        key "update.key";
    };
    allow-update {
        "none";
    };
    notify no;
};
zone "2.168.192.IN-ADDR.ARPA" in {
    type primary;
    file "zones/primary.192.168.2.rev.zone";
    update-policy {
        grant "update.key" zonesub "PTR";
    };
    allow-transfer {
        !{
            !"secondary_internal_servers";
            "any";
        };
        key "update.key";
    };
};
zone "my-domain.local" in {
    type primary;
    file "zones/primary.my-domain.local.zone";
    update-policy {
        grant "update.key" zonesub "A";
    };
    allow-transfer {
        !{
            !"secondary_internal_servers";
            "any";
        };
        key "update.key";
    };
};

~~~

Here's the (relevant parts of the) Bind9 ddns.log (ie the update log):

~~~

04-Feb-2023 19:57:09.736 update: info: client @0x7f3e2063fa18 192.168.2.3#45674/key update.key: updating zone 'my-domain.local/IN': update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) 04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18 192.168.2.3#38345/key update.key: updating zone 'my-domain.local/IN': update unsuccessful: client1.my-domain.local/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) 04-Feb-2023 19:57:09.737 update: info: client @0x7f3e2063fa18 192.168.2.3#39061/key update.key: updating zone '2.168.192.IN-ADDR.ARPA/IN': update unsuccessful: 8.2.168.192.IN-ADDR.ARPA/PTR: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) 04-Feb-2023 19:57:09.738 update: info: client @0x7f3e2063fa18 192.168.2.3#48836/key update.key: updating zone 'my-domain.local/IN': update failed: rejected by secure update (REFUSED)

~~~

Here's the corresponding (relevant parts of the) the Kea-ddns.log

~~~

2023-02-04 19:57:09.735 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_STARTING_TRANSACTION Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: 2023-02-04 19:57:09.736 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward A/AAAA Remove to server: 192.168.2.3 port:53 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward RR Remove to server: 192.168.2.3 port:53 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET 2023-02-04 19:57:09.737 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Reverse Remove to server: 192.168.2.3 port:53 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: NXRRSET 2023-02-04 19:57:09.738 INFO [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_REMOVE_SUCCEEDED DHCP_DDNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: successfully removed the DNS mapping addition for this request: Type: 1 (CHG_REMOVE)
Forward Change: yes
Reverse Change: yes
FQDN: [client1.my-domain.local.]
IP Address: [192.168.2.8]
DHCID: [000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
Lease Expires On: 20230205083853
Lease Length: 86400
Conflict Resolution: yes

2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_STARTING_TRANSACTION Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Forward Add to server: 192.168.2.3 port:53 2023-02-04 19:57:09.738 DEBUG [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: to server: 192.168.2.3 port:53 status: SUCCESS, rcode: REFUSED 2023-02-04 19:57:09.738 ERROR [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_FORWARD_ADD_REJECTED DNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Server, 192.168.2.3 port:53, rejected a DNS update request to add the address mapping for FQDN, client1.my-domain.local., with an RCODE: 5 2023-02-04 19:57:09.738 ERROR [kea-dhcp-ddns.d2-to-dns/738.140595359121344] DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID 000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343: Transaction outcome Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: failed,  Reverse change: failed,  request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [client1.my-domain.local.]
IP Address: [192.168.2.8]
DHCID: [000101A530346060F361CE566BCD0C78A7330BDAEF5B06C3D8E6ABCCE13815077C4343]
Lease Expires On: 20230205085709
Lease Length: 86400
Conflict Resolution: yes
~~~

And here's the kea-dhcp-ddns.conf

~~~

{
    "DhcpDdns": {
        "ip-address": "127.0.0.1",
        "port": 53001,
        "control-socket": {
            "socket-type": "unix",
            "socket-name": "/var/run/kea/kea-ddns-ctrl.socket"
        },
        "tsig-keys": [{
            "name": "update.key",
            "algorithm": "hmac-sha512",
            "secret": "????????????????????????????????????????????????????????????????????????????????????????"
        }],
        "forward-ddns": {
            "ddns-domains": [{
                "name": "my-domain.local.",
                "key-name": "update.key",
                "dns-servers": [{"ip-address": "192.168.2.3"}]
            }]
        },
        "reverse-ddns": {
            "ddns-domains": [{
                "name": "1.168.192.IN-ADDR.ARPA.",
                "key-name": "update.key",
                "dns-servers": [{"ip-address": "192.168.2.3"}]
            },{
                "name": "2.168.192.IN-ADDR.ARPA.",
                "key-name": "update.key",
                "dns-servers": [{"ip-address": "192.168.2.3"}]
            }]
        },
        "loggers": [{
            "name": "kea-dhcp-ddns",
            "output_options": [{
                "output": "/var/log/kea/kea-ddns.log",
                "flush": true,
                "maxsize": 1048576,
                "maxver": 10
            }],
            "severity": "INFO",
            "debuglevel": 0
        }]
    }
}

~~~

I have checked, double-checked, and double-checked again that the update.key values are the same in both config files.

So... What am I doing wrong, please?

Any help is gratefully appreciated - thanks

Cheers

Dulux-Oz

On 04/02/2023 15:28, Mark Andrews wrote:
You need to replace the rule type with something more appropriate for the type 
of update being preformed.  For the updates made by the DHCP server I would use 
“zonesub”.  “name” is fine for LetsEncrypt.

        update-policy {grant update-key zonesub A AAAA;};
        update-policy {grant update-key zonesub PTR;};
        
    ``zonesub``
        This rule is similar to subdomain, except that it matches when the name 
being updated is a subdomain of the zone in which the :any:`update-policy` 
statement appears. This obviates the need to type the zone name twice, and 
enables the use of a standard :any:`update-policy` statement in multiple zones 
without modification. When this rule is used, the ``name`` field is omitted.


On 3 Feb 2023, at 18:04, duluxoz <dulu...@gmail.com> wrote:

Hi All,

I'm pretty new to configuring Bind and so it would be great if someone(s) could 
just check my code re: the update-policy zone command(s) below - thanks in 
advance.

For the first zone (a regular internal forward-lookup zone) I'd like to be able 
to update (from Kea via ddns) the zone when a new host is assigned/etc a DHCP 
lease:

update-policy {grant update-key name internal-forward-lookup.local A AAAA;};

For the second zone (a regular internal reverse-lookup zone for the 
192.168.1.0/24 network) I'd like to be able to update (from Kea via ddns) the 
zone when a new host is assigned a DHCP lease (obviously I've got an equivalent 
IPv6 reverse-lookup zone :-) ):

update-policy {grant update-key name 1.168.192.IN-ADDR.ARPA PTR;};

For the third zone (a regular external forward-lookup zone) I'd like to be able 
to update (via acme.sh/LetsEncrypt) the _acme-challenge.example.com TXT record 
when a Certificate is requested/renewed:

update-policy {grant update-key name _acme-challenge.example.com TXT;};

I've got the update-key configured and available on all the necessary boxes, 
etc, and dns (for fixed IP addresses) and dhcp are working - I just need to get 
these update-policy statements correct.


Any help is greatly appreciated - and again, thanks in advance

Cheers

Dulux-Oz

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to