[Freeipa-users] DNS updates from dhcpd refused

Mike maillists at microdel.org
Tue Jan 13 17:12:45 UTC 2015 

On Tue, 13 Jan 2015, Petr Spacek wrote:

> On 13.1.2015 14:52, Mike wrote:
>> Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I
>> don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also
>> not sure if TSIG the best, or only way to go.
>>
>> All machines are CentOS 7 with ipa 3.3.3, actually only one machine involved,
>> IPA server and dhcpd are running on the same VM.
>>
>> I followed guide here:
>> http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
>> with one exception, I used "grant dhcpupdate zonesub A;" in the ipa
>> dnszone-mod command.
>>
>> To test I did this:
>> nsupdate -k /tmp/testkey
>>> update add newhost.inside.lan 86400 A 10.16.1.99
>>> send
>>
>> nsupdate works as expected, both forward and reverse records are added.
>>
>> However updates from dhcpd are rejected, here's a snippet from two log files.
>> Oh and raising the trace level with 'rndc trace 9' didn't reveal anything
>> useful (to me anyway).
>>
>> tail -f /var/log/messages /var/named/data/named.run
>> ==> /var/named/data/named.run <==
>> 12-Jan-2015 20:15:02.092 client 10.16.1.10#10196/key dhcpupdate: updating zone
>> 'inside.lan/IN': update failed: rejected by secure update (REFUSED)
>>
>> ==> /var/log/messages <==
>> Jan 12 20:15:02 ds01 named[11065]: client 10.16.1.10#10196/key dhcpupdate:
>> updating zone 'inside.lan/IN': update failed: rejected by secure update (REFUSED)
>> Jan 12 20:15:02 ds01 dhcpd: No hostname for 10.16.1.203
>> Jan 12 20:15:02 ds01 dhcpd: DHCPREQUEST for 10.16.1.203 from 52:54:00:4a:44:f7
>> (nas2) via eth0
>> Jan 12 20:15:02 ds01 dhcpd: DHCPACK on 10.16.1.203 to 52:54:00:4a:44:f7 (nas2)
>> via eth0
>> Jan 12 20:15:02 ds01 dhcpd: Unable to add forward map from nas2.inside.lan to
>> 10.16.1.203: REFUSED
>
> dhcpd is supposed to do the same thing as nsupdate so this is weird.
>
> You can increase log level in BIND to 8:
> $ rndc trace 8
> to get more information about the failure
>
> Alternative is to use tcpdump/wireshark and compare packages send by nsupdate
> and dhcpd to see where the difference is.
>
> Feel free to send me packet captures privately if you don't want to post them
> to mailing list.
>
> Have a nice day!
>

Petr - Thanks for the suggestion, that helped me solve the problem.

Turns out the difference is that dhcpd is also trying to add a TXT record 
which nsupdate was not (because I didn't tell it to).  So adding "grant 
dhcpupdate zonesub TXT;" to the "ipa dnszone-mod" command fixes the 
problem.

Actually it appears as though dhcpd tries to add a PTR record if the A and 
TXT are successful.  So I think I need to add "grant dhcpupdate zonesub 
PTR;" to be complete.

-- Thanks again, Mike

More information about the Freeipa-users mailing list