[SOLVED] corrupted ddns

Ladies & Gents,

Somehow I managed to break the dhcp/ddns on my external host. This is what I did that seems to have caused the problem.

A couple of years ago when I set up a machine I used a very strange partitioning scheme, my logic at the time excapes me now, but... At any rate, I began getting disk full errors due to that partitioning scheme. So I fired up a System Rescue CD and fixed the partition problems.

When I rebooted I decided to boot the xp install that is on the box and update it just to keep it current. I do that every couple months when I think about it. XP is not used as a rule. It seams that the dhcp server gave the xp an ip that was different than the one that the Debian Jessie that is normally used.

When I rebooted the Jessie install after the xp updates were done I was unable to ssh into the box via name and had to ssh in via ip. The ip was also different than the one that the Jessie install had prior to the partition resizing.

I realized there was a name server issue so I logged into webmin on the external host/server and deleted the ip entries for the xp install from the leases file. That did not fix the issue. So then I deleted the entries in one of the zone files but could not find the other for some reason. Stil no joy. So I did some further looking and found the other entry and deleted it and that fixed the dhcp error about multiple host entries but it did not fix the dns issue.

Code:

dhcpd: Forward map from TV.Torah-disciple.local to 192.168.7.16 FAILED: Has an address record but no DHCID, not mine.

Now dhcpd is attempting to write to the zone files but for some reason it is not allowed and it times out.

Code:

 dhcpd: Unable to add forward map from android-5e369d6335e9449c.Torah-disciple.local to 192.168.7.15: timed out

I have restarted everything a couple times with /etc/init.d/yad-yad, and even did the reboot thing so I know dns is running.

When attemping to look at the zone file from the dhcp module in webmin I get a permission denied error, I don't think this is a new thing but it may be. From in the webmin dns module I am able to edit the zone files fine.

I have searched the web for how to fix this but so far no joy. All the posts I have looked at are about initial config issues. The system was working just fine untill the double ip issue.

It seems like I remember reading a post, some years ago now, that editing the zone files by hand causes ddns to have updating issues but now I can't find that post, or I am mistaken about what I remember. It seems like I remember that there is a third file that is not human readable that gets corrupted when the zone files are edited by hand or something. And of coarse I don't remember what it said to do about it.

The affected system runs Debian Squeeze se-linux enabled, and fully patched.

Now when I do nslookup the request get forwarded on to my isp's dns which returns a bad local ip. Also it does not matter what local machine it is that I try to lookup.

Any idea how to fix this problem?

Thanks

I did find this in update_debug.logged

Code:

16-Jun-2013 10:27:39.052 info: client 127.0.0.1#60435: updating zone 'Torah-disciple.local/IN': deleting an RR at TV.Torah-disciple.local A
16-Jun-2013 10:27:39.114 info: client 127.0.0.1#55032: signer "ddns_update" approved
16-Jun-2013 10:27:39.114 info: client 127.0.0.1#55032: updating zone 'Torah-disciple.local/IN': deleting an RR at TV.Torah-disciple.local TXT
16-Jun-2013 10:27:39.134 info: client 127.0.0.1#36104: signer "ddns_update" approved
16-Jun-2013 10:27:39.134 info: client 127.0.0.1#36104: updating zone '7.168.192.in-addr.arpa/IN': deleting rrset at '27.7.168.192.in-addr.arpa' PTR
16-Jun-2013 17:04:54.003 info: client 127.0.0.1#45578: signer "ddns_update" approved
16-Jun-2013 17:04:54.016 info: client 127.0.0.1#45578: updating zone 'Torah-disciple.local/IN': adding an RR at 'TV.Torah-disciple.local' A
16-Jun-2013 17:04:54.016 info: client 127.0.0.1#45578: updating zone 'Torah-disciple.local/IN': adding an RR at 'TV.Torah-disciple.local' TXT
16-Jun-2013 17:04:54.054 info: client 127.0.0.1#42239: signer "ddns_update" approved
16-Jun-2013 17:04:54.055 info: client 127.0.0.1#42239: updating zone '7.168.192.in-addr.arpa/IN': deleting rrset at '24.7.168.192.in-addr.arpa' PTR
16-Jun-2013 17:04:54.055 info: client 127.0.0.1#42239: updating zone '7.168.192.in-addr.arpa/IN': adding an RR at '24.7.168.192.in-addr.arpa' PTR
16-Jun-2013 18:22:48.002 info: client 127.0.0.1#44040: updating zone 'Torah-disciple.local/IN': update unsuccessful: TV.Torah-disciple.local: 'name not in use' prerequisite not satisfied (YXDOMAIN)
16-Jun-2013 18:22:48.014 info: client 127.0.0.1#51457: updating zone 'Torah-disciple.local/IN': update unsuccessful: TV.Torah-disciple.local/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
16-Jun-2013 21:21:40.003 info: client 127.0.0.1#39081: updating zone 'Torah-disciple.local/IN': update unsuccessful: TV.Torah-disciple.local: 'name not in use' prerequisite not satisfied (YXDOMAIN)

I have discovered that there are a lot of entries in /var/log/bind_log like

Code:

17-Jun-2013 11:35:05.082 info:   validating @0xb88e61d8: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.113 notice: DNS format error from 208.67.220.220#53 resolving net.dlv.isc.org/DS: invalid response
17-Jun-2013 11:35:05.129 info:   validating @0xb88e61d8: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.179 info:   validating @0xb88ce168: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.297 info:   validating @0xb854cc18: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.328 notice: DNS format error from 208.67.222.222#53 resolving edu.dlv.isc.org/DS: invalid response
17-Jun-2013 11:35:05.329 notice: DNS format error from 208.67.222.222#53 resolving net.dlv.isc.org/DS: invalid response
17-Jun-2013 11:35:05.369 notice: DNS format error from 208.67.220.220#53 resolving edu.dlv.isc.org/DS: invalid response
17-Jun-2013 11:35:05.415 info:   validating @0xb854cc18: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.490 info:   validating @0xb88ce168: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
17-Jun-2013 11:35:05.516 info:   validating @0xb854cc18: isc.org SOA: got insecure response; parent indicates it should be secure

But there is nothing to indicate why local dns if failing to update. But I am still looking.

I did find the files I remember that post talking about. They are in /var/cache/bind and are *.jnl files. They can be read but understanding what they mean is way beyond me, and so have not helped me figure out what needs to be changed or deleted. What if I just delete those files?

Well it seams that some years ago that was not the thing to do.

I have played with nsupdate a little and can't get it to update the zone files. If I try to use the key that the system was working with it fails to launch complaining about a key type that it does not understand. If I use a different key that the configs have available it launches successfully but will not update the zone files.

Well I guess that this will have to wait till later.

No thoughts hun?

I deleted the .jnl zone files and restarted bind and dhcpd,

fixed

well not really fixed but working.

For completeness.

The zone files have to be changed back to empty zones too, or it will not update entries that exist.

So I deleted the .jnl files again and replaced the zone files with a copy of the originals and that corrected the problems.

It would sure seam that some one could have just told me that.

Still thanks for a great site.

A different method from
http://www.smoothnet.org/dynamic-dhcpd-error-dhcid/

Quote:

Start off by telling your DNS server to hold off from doing any updates while you are messing around with it’s records by issuing the command, assuming you are using bind: rndc freeze Once that is done you can go into your DNS server and remove the offending record. Do this by removing the A record for the offending error and the TXT record immediately below it. Then, as usual, you will need to update the serial. Now we can let the server start updating records again by issuing the reverse of the previous command: rndc thaw When you ‘thaw’ the DNS server it will re-read the configuration files, so no need to re-load anything. Now just wait for the next DHCP renew and the record should update with out error.

I have not tried this so.....

Quote:

Originally Posted by rbees A different method from http://www.smoothnet.org/dynamic-dhcpd-error-dhcid-services Quote: Start off by telling your DNS server to hold off from doing any updates while you are messing around with it’s records by issuing the command, assuming you are using bind: rndc freeze Once that is done you can go into your DNS server and remove the offending record. Do this by removing the A record for the offending error and the TXT record immediately below it. Then, as usual, you will need to update the serial. Now we can let the server start updating records again by issuing the reverse of the previous command: rndc thaw When you ‘thaw’ the DNS server it will re-read the configuration files, so no need to re-load anything. Now just wait for the next DHCP renew and the record should update with out error. I have not tried this so.....

Hi,

I've tried to get DNS and DHCP to work together, connected devices is getting mapped to device-name.domain-name. However, I got two IP addresses from the DHCP and that annoyed me greatly.