Hello everyone!
After reviewing many forums, guides, videos, and keeping a fellow co-worker on the phone until the wee hours of the morning, I cannot find where I went wrong with DDNS and BIND9. Tailing the syslog, I see forward mapping works (I can get out to the Internet). However, reverse mapping does not:
Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' A
Sep 1 17:51:57 fee named[3004]: client 127.0.0.1#52157: updating zone 'mystikcreatures.com/IN': adding an RR at 'drache.mystikcreatures.com' TXT
Sep 1 17:51:57 fee dhcpd: Added new forward map from drache.mystikcreatures.com. to 192.168.0.62
Sep 1 17:51:57 fee dhcpd: unable to add reverse map from 62.0.168.192.in-addr.arpa. to drache.mystikcreatures.com.: not authorized
I have tried permissions, removing and purging BIND9 from the server for a fresh install (deleted all the folders after the purge), group ownership, recreating all the files, added /etc/bind/ to apparmor, moved the 'databases' to /var/lib/bind/, and minor adjustments here and there. The trouble is not every guide provides the same solutions, or pieces are assumed.
I have a fresh install of Ubuntu 12.04 LTS with BIND9 and DHCP installed. I am using DHCP and not DHCP3. My permissions are set to:
/var/lib/bind
drwxrwxr-x 2 root bind 4096 Sep 1 18:03 bind
files under bind:
-rw-rw-r-- 1 bind bind 529 Sep 1 17:44 db.192
-rw-r--r-- 1 root root 452 Sep 1 17:43 db.192.bak
-rw-rw-r-- 1 bind bind 0 Sep 1 17:47 db.192.jnl
-rw-rw-r-- 1 bind bind 312 Sep 1 16:15 db.192.old
-rw-rw-r-- 1 bind bind 310 Sep 1 11:28 db.192.save
-rw-r--r-- 1 bind bind 1121 Sep 1 18:03 db.mystikcreatures.com
-rw-rw-r-- 1 bind bind 447 Sep 1 16:47 db.mystikcreatures.com.broke
-rw-rw-r-- 1 bind bind 6736 Sep 1 18:07 db.mystikcreatures.com.jnl
-rw-rw-r-- 1 bind bind 13713 Sep 1 16:35 db.mystikcreatures.com.jnl.old
-rw-rw-r-- 1 bind bind 1120 Sep 1 16:35 db.mystikcreatures.com.old
(note, I created the db.192.jnl file using touch and changed the permissions thinking that would help.)
/etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//include "/etc/bind/rndc.key";
//acl "internal-net" { 192.168.0/24; 127.0.0/24; };
/etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "mystikcreatures.com" {
type master;
//file "/etc/bind/db.mystikcreatures.com";
file "/var/lib/bind/db.mystikcreatures.com";
allow-update { key "rndc-key"; };
// notify yes;
};
zone "0.168.192.in-addr.arpa" {
type master;
//file "/etc/bind/db.192";
file "/var/lib/bind/db.192";
allow-update { key "rndc-key"; };
// notify yes
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See
http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
allow-query {
any;
};
forwarders {
8.8.8.8;
8.8.4.4;
4.2.2.4;
4.2.2.2;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
//controls {
// inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
// };
Permissions on files in /etc/bind
-rw-rw-r-- 1 root bind 2389 Jul 25 17:35 bind.keys
-rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.0
-rw-rw-r-- 1 root bind 271 Jul 25 17:35 db.127
-rw-rw-r-- 1 root bind 276 Sep 1 01:33 db.192
-rw-rw-r-- 1 root bind 237 Jul 25 17:35 db.255
-rw-rw-r-- 1 root bind 353 Jul 25 17:35 db.empty
-rw-rw-r-- 1 root bind 270 Jul 25 17:35 db.local
-rw-r--r-- 1 bind bind 855 Sep 1 11:22 db.mystikcreatures.com
-rw-r--r-- 1 root bind 12535 Sep 1 14:20 db.mystikcreatures.com.jnl.old
-rw-rw-r-- 1 root bind 2994 Jul 25 17:35 db.root
-rw-rw-r-- 1 root bind 547 Aug 31 21:17 named.conf
-rw-rw-r-- 1 root bind 490 Jul 25 17:35 named.conf.default-zones
-rw-rw-r-- 1 root bind 667 Sep 1 11:32 named.conf.local
-rw-rw-r-- 1 root bind 165 Aug 31 18:23 named.conf.local.bak
-rw-rw-r-- 1 root bind 1064 Aug 31 21:27 named.conf.options
-r--r----- 1 bind dhcpd 77 Aug 31 19:55 rndc.key
-rw-rw-r-- 1 root bind 1317 Jul 25 17:35 zones.rfc1918
/etc/dhcp/dhcpd.conf
# Basic stuff to name the server and switch on updating
server-identifier 192.168.0.51;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "mystikcreatures.com.";
#ddns-domainname "mystikcreatures.com";
ddns-rev-domainname "in-addr.arpa.";
option domain-name "mystikcreatures.com";
option domain-name-servers 192.168.0.51;
option ntp-servers 192.168.0.51;
# Include the key so that DHCP can authenticate itself to BIND9
include "/etc/bind/rndc.key";
# Ignore Windows FQDN updates
#allow client-updates;
ignore client-updates;
# This is the communication zone
zone mystikcreatures.com. {
# primary 192.168.0.51;
primary 127.0.0.1;
key "rndc-key";
}
zone 192.in-addr.arpa. {
# primary 192.168.0.51;
primary 127.0.0.1;
key "rndc-key";
}
default-lease-time 1440;
max-lease-time 10080;
authoritative;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.60 192.168.0.100;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
allow unknown-clients;
}
Please let me know if any other information is required.
Thanks!
Dr. Wes Snyder V