DDNS, BIND9, and error on reverse map
 

Hello everyone!

After reviewing many forums, guides, videos, and keeping a fellow co-worker on the phone until the wee hours of the morning, I cannot find where I went wrong with DDNS and BIND9. Tailing the syslog, I see forward mapping works (I can get out to the Internet). However, reverse mapping does not:

Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' A
Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' TXT
Sep 1 17:51:57 fee dhcpd: Added new forward map from drache.mystikcreatures.com. to 192.168.0.62
Sep 1 17:51:57 fee dhcpd: unable to add reverse map from 62.0.168.192.in-addr.arpa. to drache.mystikcreatures.com.: not authorized

I have tried permissions, removing and purging BIND9 from the server for a fresh install (deleted all the folders after the purge), group ownership, recreating all the files, added /etc/bind/ to apparmor, moved the 'databases' to /var/lib/bind/, and minor adjustments here and there. The trouble is not every guide provides the same solutions, or pieces are assumed.

I have a fresh install of Ubuntu 12.04 LTS with BIND9 and DHCP installed. I am using DHCP and not DHCP3. My permissions are set to:
/var/lib/bind
drwxrwxr-x 2 root bind 4096 Sep 1 18:03 bind

files under bind:
-rw-rw-r-- 1 bind bind 529 Sep 1 17:44 db.192
-rw-r--r-- 1 root root 452 Sep 1 17:43 db.192.bak
-rw-rw-r-- 1 bind bind 0 Sep 1 17:47 db.192.jnl
-rw-rw-r-- 1 bind bind 312 Sep 1 16:15 db.192.old
-rw-rw-r-- 1 bind bind 310 Sep 1 11:28 db.192.save
-rw-r--r-- 1 bind bind 1121 Sep 1 18:03 db.mystikcreatures.com
-rw-rw-r-- 1 bind bind 447 Sep 1 16:47 db.mystikcreatures.com.broke
-rw-rw-r-- 1 bind bind 6736 Sep 1 18:07 db.mystikcreatures.com.jnl
-rw-rw-r-- 1 bind bind 13713 Sep 1 16:35 db.mystikcreatures.com.jnl.old
-rw-rw-r-- 1 bind bind 1120 Sep 1 16:35 db.mystikcreatures.com.old
(note, I created the db.192.jnl file using touch and changed the permissions thinking that would help.)

/etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//include "/etc/bind/rndc.key";
//acl "internal-net" { 192.168.0/24; 127.0.0/24; };

/etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "mystikcreatures.com" {
type master;
//file "/etc/bind/db.mystikcreatures.com";
file "/var/lib/bind/db.mystikcreatures.com";
allow-update { key "rndc-key"; };
// notify yes;
};

zone "0.168.192.in-addr.arpa" {
type master;
//file "/etc/bind/db.192";
file "/var/lib/bind/db.192";
allow-update { key "rndc-key"; };
// notify yes
};

include "/etc/bind/rndc.key";

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

/etc/bind/named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

allow-query {
any;
};

forwarders {
8.8.8.8;
8.8.4.4;
4.2.2.4;
4.2.2.2;
};

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

//controls {
// inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
// };

Permissions on files in /etc/bind
-rw-rw-r-- 1 root bind 2389 Jul 25 17:35 bind.keys
-rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.0
-rw-rw-r-- 1 root bind 271 Jul 25 17:35 db.127
-rw-rw-r-- 1 root bind 276 Sep 1 01:33 db.192
-rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.255
-rw-rw-r-- 1 root bind 353 Jul 25 17:35 db.empty
-rw-rw-r-- 1 root bind 270 Jul 25 17:35 db.local
-rw-r--r-- 1 bind bind 855 Sep 1 11:22 db.mystikcreatures.com
-rw-r--r-- 1 root bind 12535 Sep 1 14:20 db.mystikcreatures.com.jnl.old
-rw-rw-r-- 1 root bind 2994 Jul 25 17:35 db.root
-rw-rw-r-- 1 root bind 547 Aug 31 21:17 named.conf
-rw-rw-r-- 1 root bind 490 Jul 25 17:35 named.conf.default-zones
-rw-rw-r-- 1 root bind 667 Sep 1 11:32 named.conf.local
-rw-rw-r-- 1 root bind 165 Aug 31 18:23 named.conf.local.bak
-rw-rw-r-- 1 root bind 1064 Aug 31 21:27 named.conf.options
-r--r----- 1 bind dhcpd 77 Aug 31 19:55 rndc.key
-rw-rw-r-- 1 root bind 1317 Jul 25 17:35 zones.rfc1918

/etc/dhcp/dhcpd.conf
# Basic stuff to name the server and switch on updating
server-identifier 192.168.0.51;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "mystikcreatures.com.";
#ddns-domainname "mystikcreatures.com";
ddns-rev-domainname "in-addr.arpa.";
option domain-name "mystikcreatures.com";
option domain-name-servers 192.168.0.51;
option ntp-servers 192.168.0.51;

# Include the key so that DHCP can authenticate itself to BIND9
include "/etc/bind/rndc.key";

# Ignore Windows FQDN updates
#allow client-updates;
ignore client-updates;

# This is the communication zone
zone mystikcreatures.com. {
# primary 192.168.0.51;
primary 127.0.0.1;
key "rndc-key";
}

zone 192.in-addr.arpa. {
# primary 192.168.0.51;
primary 127.0.0.1;
key "rndc-key";
}

default-lease-time 1440;
max-lease-time 10080;
authoritative;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.60 192.168.0.100;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
allow unknown-clients;

}

Please let me know if any other information is required.

Thanks!
Dr. Wes Snyder V

Now thats what I call an error description. Guess everythings included. Just one pinch. Code tags would make it lovely readable.

As the error from syslog show you're having a problem on the dhcpd side. First though of the key not beeing set but that was done. Just a little typo for the mix. You include rndc.key above the declaration of the "communication zone" but your config of dhcpd uses rndc-key. Hyphen instead of dot.

Take a look at the "communication zone" and "zone 192.in-addr". Within the key argument.

Hello,

Yes, some clean-up is in order for the files. I did manage did manage to get it to work, although I am not certain it is the 'proper' way or not. I remarked out ddns-rev-domainname "in-addr.arpa."; in dhcpd.conf file and changed:
to:
Restarted services and it worked.

I did try to change the line you suggested but DHCPd would not start. The line, include "/etc/bind/rndc.key"; is an absolute path where the key exists. The file name is rndc.key.

Thanks for the reply! My next challenge is Samba and OpenLDAP. I want to pull my existing AD domain objects, if I can, into OpenLDAP on my Ubuntu server. Reading, again, many ways to do this. I am sure I will post some questions on this topic next.

Glad you got it solved. Could you please mark the thread as solved.