[Freeipa-users] DNS updates from dhcpd refused
Craig White
CWhite at skytouchtechnology.com
Tue Jan 13 15:39:54 UTC 2015
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Mike
Sent: Tuesday, January 13, 2015 6:52 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] DNS updates from dhcpd refused
Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA.
I don't know if this is an IPA or dhcpd issue but thought I'd ask here.
I'm also not sure if TSIG the best, or only way to go.
All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved, IPA server and dhcpd are running on the same VM.
I followed guide here:
http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
with one exception, I used "grant dhcpupdate zonesub A;" in the ipa dnszone-mod command.
To test I did this:
nsupdate -k /tmp/testkey
> update add newhost.inside.lan 86400 A 10.16.1.99 send
nsupdate works as expected, both forward and reverse records are added.
However updates from dhcpd are rejected, here's a snippet from two log files. Oh and raising the trace level with 'rndc trace 9' didn't reveal anything useful (to me anyway).
tail -f /var/log/messages /var/named/data/named.run ==> /var/named/data/named.run <==
12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED)
==> /var/log/messages <==
Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate:
updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED) Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203 Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from
52:54:00:4a:44:f7 (nas2) via eth0
Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7
(nas2) via eth0
Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to 10.16.1.203: REFUSED
----
Mike,
Please be sure to post when you do come to a resolution on this, it may be something I want to do - at least in my home setup.
Craig
More information about the Freeipa-users
mailing list