DDNS, BIND9, and error on reverse map
Hello everyone!
After reviewing many forums, guides, videos, and keeping a fellow co-worker on the phone until the wee hours of the morning, I cannot find where I went wrong with DDNS and BIND9. Tailing the syslog, I see forward mapping works (I can get out to the Internet). However, reverse mapping does not: Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' A Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' TXT Sep 1 17:51:57 fee dhcpd: Added new forward map from drache.mystikcreatures.com. to 192.168.0.62 Sep 1 17:51:57 fee dhcpd: unable to add reverse map from 62.0.168.192.in-addr.arpa. to drache.mystikcreatures.com.: not authorized I have tried permissions, removing and purging BIND9 from the server for a fresh install (deleted all the folders after the purge), group ownership, recreating all the files, added /etc/bind/ to apparmor, moved the 'databases' to /var/lib/bind/, and minor adjustments here and there. The trouble is not every guide provides the same solutions, or pieces are assumed. I have a fresh install of Ubuntu 12.04 LTS with BIND9 and DHCP installed. I am using DHCP and not DHCP3. My permissions are set to: /var/lib/bind drwxrwxr-x 2 root bind 4096 Sep 1 18:03 bind files under bind: -rw-rw-r-- 1 bind bind 529 Sep 1 17:44 db.192 -rw-r--r-- 1 root root 452 Sep 1 17:43 db.192.bak -rw-rw-r-- 1 bind bind 0 Sep 1 17:47 db.192.jnl -rw-rw-r-- 1 bind bind 312 Sep 1 16:15 db.192.old -rw-rw-r-- 1 bind bind 310 Sep 1 11:28 db.192.save -rw-r--r-- 1 bind bind 1121 Sep 1 18:03 db.mystikcreatures.com -rw-rw-r-- 1 bind bind 447 Sep 1 16:47 db.mystikcreatures.com.broke -rw-rw-r-- 1 bind bind 6736 Sep 1 18:07 db.mystikcreatures.com.jnl -rw-rw-r-- 1 bind bind 13713 Sep 1 16:35 db.mystikcreatures.com.jnl.old -rw-rw-r-- 1 bind bind 1120 Sep 1 16:35 db.mystikcreatures.com.old (note, I created the db.192.jnl file using touch and changed the permissions thinking that would help.) /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; //include "/etc/bind/rndc.key"; //acl "internal-net" { 192.168.0/24; 127.0.0/24; }; /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "mystikcreatures.com" { type master; //file "/etc/bind/db.mystikcreatures.com"; file "/var/lib/bind/db.mystikcreatures.com"; allow-update { key "rndc-key"; }; // notify yes; }; zone "0.168.192.in-addr.arpa" { type master; //file "/etc/bind/db.192"; file "/var/lib/bind/db.192"; allow-update { key "rndc-key"; }; // notify yes }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. allow-query { any; }; forwarders { 8.8.8.8; 8.8.4.4; 4.2.2.4; 4.2.2.2; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; //controls { // inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; // }; Permissions on files in /etc/bind -rw-rw-r-- 1 root bind 2389 Jul 25 17:35 bind.keys -rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.0 -rw-rw-r-- 1 root bind 271 Jul 25 17:35 db.127 -rw-rw-r-- 1 root bind 276 Sep 1 01:33 db.192 -rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.255 -rw-rw-r-- 1 root bind 353 Jul 25 17:35 db.empty -rw-rw-r-- 1 root bind 270 Jul 25 17:35 db.local -rw-r--r-- 1 bind bind 855 Sep 1 11:22 db.mystikcreatures.com -rw-r--r-- 1 root bind 12535 Sep 1 14:20 db.mystikcreatures.com.jnl.old -rw-rw-r-- 1 root bind 2994 Jul 25 17:35 db.root -rw-rw-r-- 1 root bind 547 Aug 31 21:17 named.conf -rw-rw-r-- 1 root bind 490 Jul 25 17:35 named.conf.default-zones -rw-rw-r-- 1 root bind 667 Sep 1 11:32 named.conf.local -rw-rw-r-- 1 root bind 165 Aug 31 18:23 named.conf.local.bak -rw-rw-r-- 1 root bind 1064 Aug 31 21:27 named.conf.options -r--r----- 1 bind dhcpd 77 Aug 31 19:55 rndc.key -rw-rw-r-- 1 root bind 1317 Jul 25 17:35 zones.rfc1918 /etc/dhcp/dhcpd.conf # Basic stuff to name the server and switch on updating server-identifier 192.168.0.51; ddns-updates on; ddns-update-style interim; ddns-domainname "mystikcreatures.com."; #ddns-domainname "mystikcreatures.com"; ddns-rev-domainname "in-addr.arpa."; option domain-name "mystikcreatures.com"; option domain-name-servers 192.168.0.51; option ntp-servers 192.168.0.51; # Include the key so that DHCP can authenticate itself to BIND9 include "/etc/bind/rndc.key"; # Ignore Windows FQDN updates #allow client-updates; ignore client-updates; # This is the communication zone zone mystikcreatures.com. { # primary 192.168.0.51; primary 127.0.0.1; key "rndc-key"; } zone 192.in-addr.arpa. { # primary 192.168.0.51; primary 127.0.0.1; key "rndc-key"; } default-lease-time 1440; max-lease-time 10080; authoritative; log-facility local7; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.60 192.168.0.100; option broadcast-address 192.168.0.255; option routers 192.168.0.1; allow unknown-clients; } Please let me know if any other information is required. Thanks! Dr. Wes Snyder V |
Now thats what I call an error description. Guess everythings included. Just one pinch. Code tags would make it lovely readable.
As the error from syslog show you're having a problem on the dhcpd side. First though of the key not beeing set but that was done. Just a little typo for the mix. You include rndc.key above the declaration of the "communication zone" but your config of dhcpd uses rndc-key. Hyphen instead of dot. Take a look at the "communication zone" and "zone 192.in-addr". Within the key argument. Code:
zone 192.in-addr.arpa. { |
Hello,
Yes, some clean-up is in order for the files. I did manage did manage to get it to work, although I am not certain it is the 'proper' way or not. I remarked out ddns-rev-domainname "in-addr.arpa."; in dhcpd.conf file and changed: Code:
zone 192.in-addr.arpa. { Code:
zone 0.168.192.in-addr.arpa. { I did try to change the line you suggested but DHCPd would not start. The line, include "/etc/bind/rndc.key"; is an absolute path where the key exists. The file name is rndc.key. Code:
Sep 3 11:44:08 fee named[2398]: client 127.0.0.1#59227: signer "rndc-key" approved |
Glad you got it solved. Could you please mark the thread as solved.
|
All times are GMT -5. The time now is 01:49 AM. |