| There are two parts to this configuration. First, we need to update the DHCP server to inform it of the address of where to send Dynamic DNS updates. This is the address of the master server. Updates happen only on the DNS master server. 17.4.1 Updating the DHCP Server The DHCP server and the DNS server should exist on the same machine. In our case, both the master DNS and DHCP server are on node hpeos004 . I updated the /etc/dhcptab file with the following three lines ( underlined ):
root@hpeos004[dns] vi /etc/dhcptab dhcp_pool_group:\ pool-name=64Subnet:\ addr-pool-start-address=192.168.0.82:\ addr-pool-last-address=192.168.0.94:\ lease-time=604800:\ lease-policy=accept-new-clients:\ allow-bootp-clients=FALSE:\ hn:\ subnet-mask=255.255.255.224:\ gw=192.168.0.66:\ sr=192.168.0.32 192.168.0.65 :\ dn=maabof.com:\ ds=192.168.0.34:\ nt=192.168.0.34: \ pcsn:\ sp:\ ddns-address=192.168.0.35: root@hpeos004[dns]
The Boolean tag pcsn: is used to assign a name for every IP address. When this tag is set, the DHCP server gives priority to the name (if any) provided by the client. The name must be a fully qualified domain name (FQDN). If an FQDN is not specified, then the DHCP server appends the domain name (if set using the dn tag) to the client's hostname; otherwise , it appends a . (period) and updates the Dynamic DNS server (DDNS). The tag sp : is a Boolean tag; if set, it causes bootpd to not use the prerequisite section in the update request when an update request is to be sent to DNS (it can add new entries to the DNS when an entry has never existed before). The tag ddns-address specifies the address of the DDNS server. The ddns-address must be the IP address of a local DHCP server; it cannot be the IP address of a remote system. I can check the changes I made to my /etc/dhcptab file:
root@hpeos004[dns] dhcptools -v The validate operation was successful. Results were written to the file /tmp/dhcpvalidate. root@hpeos004[dns] cat /tmp/dhcpvalidate # /tmp/dhcpvalidate:dhcp validation output. # # generated on Tue Oct 23 12:23:31 2003 /etc/dhcptab validated, no errors found. /etc/bootptab validated, no errors found. No inconsistencies found in the data store. root@hpeos004[dns]
I am now ready to update my DNS master server. 17.4.2 Updating the DNS master server We need to configure the DNS server to allow updates from a remote location . The fact is, the IP address of the remote location is the IP address of this node. Remember, the DHCP server and the DNS master server should be located on the same node. Here are the changes (underlined) I made to the /etc/named.conf file:
root@hpeos004[dns] cat /etc/named.conf # # type domain source file # options { directory "/etc/dns"; listen-on { any; }; listen-on-v6 { any; }; random-device "/dev/random"; forwarders { 213.1.119.101; 213.1.119.102; }; }; key TSIGkey { algorithm "hmac-md5"; secret secret "L4Et2wOlxj6CYKIf8g2AbOjBaa+DSDhmGoDOARdsx4WfBbkbiwyKT+BFZ5dFBNrPY7XBDa/uSluKmfyB3kUPeQ=="; }; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { TSIGkey; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "IP6.INT" { type master; file "db.IP6.INT"; allow-update { 192.168.0.35 ; 192.168.0.66 ; }; }; zone "maabof.com" { type master; file "db.maabof"; allow-update { 192.168.0.35 ; 192.168.0.66 ; }; }; zone "168.192.IN-ADDR.ARPA" { type master; file "db.192.168"; allow-update { 192.168.0.35 ; 192.168.0.66 ; }; }; zone "." { type hint; file "db.cache"; }; root@hpeos004[dns]
As you can see, I am using the allow-update policy, specifying my own IP addresses as the hosts allowed to update resource records on this machine (I could have used the keyword localhost to denote all IPv4 addresses on local interfaces). By default, no addresses are allowed to perform Dynamic DNS updates. To make these changes effective, I need to reload the /etc/named.conf configuration file.
root@hpeos004[dns] named-checkconf root@hpeos004[dns] rndc reload root@hpeos004[dns]
I can check for daemon messages in syslog to ensure that the reload has worked. Here is an extract from my netdaemon.log file showing the syslog daemon messages relating to the recent rndc reload :
Oct 23 12:51:42 hpeos004 named[782]: loading configuration from '/etc/named.conf' Oct 23 12:51:42 hpeos004 named[782]: zone 'IP6.INT' allows updates by IP address, which is  insecure Oct 23 12:51:42 hpeos004 named[782]: zone 'maabof.com' allows updates by IP address, which is insecure Oct 23 12:51:42 hpeos004 named[782]: zone '168.192.IN-ADDR.ARPA' allows updates by IP address, which is insecure
The comments relating to insecure are because I am not using DNS Security signatures for performing updates. That's a homework assignment for you! I started talking about signatures, and so on, when I mentioned the dnssec-keygen command. From there, we can make keysets and sign them. Have a look at the man page for dnssec-keygen if you are interested. Let's see if I can renew a DHCP lease on one of my PC clients (used the C:\>ipconfig /renew command). Here's the output from syslog :
Oct 23 13:14:47 hpeos004 bootpd[5292]: Received DHCPDISCOVER creating DHCPOFFER. Request data: ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id not sent. Oct 23 13:14:50 hpeos004 bootpd[5292]: client 192.168.0.88 requested unknown/unservable option.tag = f9 Oct 23 13:14:50 hpeos004 bootpd[5292]: sending reply to 192.168.0.88 on port 68 Oct 23 13:14:50 hpeos004 bootpd[5292]: Received DHCPREQUEST creating DHCPACK. Request data : ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id 192.168.0.66. Oct 23 13:14:50 hpeos004 bootpd[5292]: allocated ip: udpated dhcpdb and hash tables. Oct 23 13:14:50 hpeos004 bootpd[5292]: copying options from 64Subnet Oct 23 13:14:50 hpeos004 named[5264]: client ::ffff:192.168.0.35#50171: update 'maabof.com /IN' denied Oct 23 13:14:50 hpeos004 bootpd[5292]: ADD operation for 192.168.0.88 to DDNS failed Oct 23 13:14:50 hpeos004 bootpd[5292]: ADD operation for 88.0.168.192.in-addr.arpa. to DDNS failed Oct 23 13:14:50 hpeos004 bootpd[5292]: copying options from default client group Oct 23 13:14:50 hpeos004 bootpd[5292]: client 192.168.0.88 requested unknown/unservable option.tag = f9 Oct 23 13:14:50 hpeos004 bootpd[5292]: sending reply to 192.168.0.88 on port 68 Oct 23 13:14:50 hpeos004 bootpd[5292]: offer freed
I have underlined the most important lines. The DHCP part of the configuration has worked insofar as the PC now has an IP configuration:
C:\> ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : CKPC2 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Mixed IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : MSHOME.NET Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : maabof.com Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) Physical Address. . . . . . . . . : 00-08-74-E5-86-BE Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.0.88 Subnet Mask . . . . . . . . . . . : 255.255.255.224 Default Gateway . . . . . . . . . : 192.168.0.66 DHCP Server . . . . . . . . . . . : 192.168.0.66 DNS Servers . . . . . . . . . . . : 213.1.119.101 213.1.119.102 Lease Obtained. . . . . . . . . . : 23 October 2003 13:15:13 Lease Expires . . . . . . . . . . : 30 October 2003 13:15:13 Ethernet adapter {3C3B014F-91F6-483A-BC9E-36734E8AD7B1}: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Packet Sch eduler Miniport Physical Address. . . . . . . . . : 44-45-53-54-42-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 0.0.0.0 Subnet Mask . . . . . . . . . . . : 0.0.0.0 Default Gateway . . . . . . . . . : Ethernet adapter Bluetooth Network: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Bluetooth LAN Access Server Driver Physical Address. . . . . . . . . : 00-80-98-34-D0-47 C:\>
The PC has a hostname of CKPC2. This should have been updated in the DNS. However, the underlined output from named above shows you that it has failed. There seems to be something strange going on here. The problem is caused by the inclusion of IPv6 on this machine. If you look carefully , there is a message in the output above. I will separate it out for you here:
Oct 23 13:14:50 hpeos004 named[5264]: client ::ffff:192.168.0.35#50171: update 'maabof.com /IN' denied
The IP address of ::ffff:192.168.0.35 seems a little strange. This is known as an IPv4-mapped IPv6 address . This is documented in RFC2372 (IPv6 Addressing Architecture: the first 80 bits as zeros, then 16 bits of FFFF, and then the 32-bit IPv4 address). It is usually used when you have an IPv6-enabled node that is using only IPv4 addresses. To spot whether your system is using such addresses, ensure that inetd has logging enabled and using a utility such as telnet , to your own machine is using an IPv4 address. Here's the output I got from syslog (the netdaemon.log file in my case):
root@hpeos004[dns] telnet 192.168.0.35 Trying... Connected to ::ffff:192.168.0.35. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hpeos004 B.11.11 U 9000/800 (ta) login: telnet> quit Connection closed. root@hpeos004[dns] root@hpeos004[dns] tail -1 /var/adm/syslog/netdaemon.log Oct 23 13:27:06 hpeos004 inetd[5302]: telnet/tcp: Connection from unknown (::ffff:192.168 .0.35) at Tue Oct 23 13:27:06 2003 root@hpeos004[dns]
You can even see it in the output from telnet itself. The output from syslog shows a hostname of unknown because we do not have these addresses in our /etc/hosts file. I will update my /etc/hosts file with these addresses. Because they are neither a pure IPv4 nor an IPv6 address, I have found that hosts_to_named is not able to handle them; it doesn't know whether they are IPv4 or IPv6 addresses. I will leave them in my /etc/hosts file and hope that my /etc/nsswitch.conf file will be sufficient to continue resolving the addresses. I need to update my /etc/named.conf with these IPv4-mapped IPv6 addresse s. I am going to set up an Access Control List , which is a shorthand way of specifying all addresses pertaining to a particular name:
root@hpeos004[dns] more /etc/named.conf # # type domain source file # options { directory "/etc/dns"; listen-on { any; }; listen-on-v6 { any; }; random-device "/dev/random"; forwarders { 213.1.119.101; 213.1.119.102; }; }; acl MASTER { localhost; ::ffff:192.168.0.35; ::ffff:192.168.0.66; }; key TSIGkey { algorithm "hmac-md5"; secret "L4Et2wOlxj6CYKIf8g2AbOjBaa+DSDhmGoDOARdsx4WfBbkbiwyKT+BFZ5dFBNrP Y7XBDa/uSluKmfyB3kUPeQ=="; }; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { TSIGkey; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "IP6.INT" { type master; file "db.IP6.INT"; allow-update { MASTER;}; }; zone "maabof.com" { type master; file "db.maabof"; allow-update { MASTER;}; }; zone "168.192.IN-ADDR.ARPA" { type master; file "db.192.168"; allow-update { MASTER;}; }; zone "." { type hint; file "db.cache"; }; root@hpeos004[dns] named-checkconf root@hpeos004[dns] rndc reload root@hpeos004[dns]
Now that I have updated my /etc/named.conf file with the appropriate entries, I can proceed to perform a Dynamic DNS update. I will renew my DHCP lease on my PC again. Here's the resulting output that I received in netdaemon.log file:
root@hpeos004[dns] more /var/adm/syslog/netdaemon.log ... Oct 23 14:03:25 hpeos004 bootpd[5292]: Received DHCPDISCOVER creating DHCPOFFER. Request data: ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id not sent. Oct 23 14:03:25 hpeos004 bootpd[5292]: Probing IP address 192.168.0.88:01000874E586BE :000874E586BE Oct 23 14:01:41 hpeos004 bootpd[5292]: not ICMP packet Oct 23 14:03:25 hpeos004 above message repeats 450 times Oct 23 14:03:25 hpeos004 bootpd[5292]: hash_Delete found no host pointer to delete. Oct 23 14:03:25 hpeos004 bootpd[5292]: saved offer. Oct 23 14:03:25 hpeos004 bootpd[5292]: copying options from 64Subnet Oct 23 14:03:25 hpeos004 bootpd[5292]: copying options from default client group Oct 23 14:03:25 hpeos004 bootpd[5292]: not ICMP packet Oct 23 14:03:28 hpeos004 bootpd[5292]: copying options from 64Subnet Oct 23 14:03:28 hpeos004 bootpd[5292]: copying options from default client group Oct 23 14:03:28 hpeos004 bootpd[5292]: Received DHCPDISCOVER creating DHCPOFFER. Request data: ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id not sent. Oct 23 14:03:28 hpeos004 above message repeats 2 times Oct 23 14:03:28 hpeos004 bootpd[5292]: assigned IP address 192.168.0.88:01000874E586BE :000874E586BE Oct 23 14:03:28 hpeos004 bootpd[5292]: copying options from 64Subnet Oct 23 14:03:28 hpeos004 bootpd[5292]: client 192.168.0.88 requested unknown/unservable option.tag = f9 Oct 23 14:03:28 hpeos004 bootpd[5292]: saved offer. Oct 23 14:03:28 hpeos004 bootpd[5292]: sending reply to 192.168.0.88 on port 68 Oct 23 14:03:28 hpeos004 bootpd[5292]: Received DHCPDISCOVER creating DHCPOFFER. Request data: ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id not sent. Oct 23 14:03:28 hpeos004 bootpd[5292]: Received DHCPREQUEST creating DHCPACK. Request data : ci = 01000874E586BE, req IP 192.168.0.88, ciaddr 0.0.0.0, giaddr 0.0.0.0, broadcast reply off, server id 192.168.0.66. Oct 23 14:03:28 hpeos004 bootpd[5292]: allocated ip: udpated dhcpdb and hash tables. Oct 23 14:03:28 hpeos004 bootpd[5292]: copying options from 64Subnet Oct 23 14:03:28 hpeos004 named[12156]: client ::ffff:192.168.0.66#50307: updating zone 'maabof.com/IN': adding an RR Oct 23 14:03:28 hpeos004 bootpd[5292]: ADD operation for 192.168.0.88 to DDNS succeeded Oct 23 14:03:28 hpeos004 named[12156]: client ::ffff:192.168.0.35#50310: updating zone '168.192.IN-ADDR.ARPA/IN': adding an RR Oct 23 14:03:28 hpeos004 bootpd[5292]: ADD operation for 88.0.168.192.in-addr.arpa. to DDNS succeeded Oct 23 14:03:28 hpeos004 bootpd[5292]: client 192.168.0.88 requested unknown/unservable option.tag = f9 Oct 23 14:03:28 hpeos004 bootpd[5292]: offer freed
As you can see from the underlined text above, the Dynamic DNS updates did work this time:
root@hpeos004[dns] nslookup 192.168.0.88 Name Server: hpeos004.maabof.com Address: 192.168.0.35 Trying DNS Name: CKPC2.maabof.com Address: 192.168.0.88 root@hpeos004[dns]
NOTE : This particular configuration was set up to show peculiarities when IPv6 is installed but not configured or used. The problems experienced with the IPv4-mapped IPv6 addresses are unique to this situation. It may be that such problems will be experienced in the field where customers install IPv6 but don't utilize it. Where a pure IPv6 or a truly mixed environment is in use, such problems are not normally experienced. | 