isc-dhcp-server
Contents
About
Internet Systems Consortium, Inc. (ISC) DHCP-Server
Docs
The man-pages provided on the system are great and sufficient.
Dynamic DNS Updates
Generate shared secret
Since Version 4.2.8 isc-dhcp-server supports new TSIG algorithms - let's try them out. https://kb.isc.org/article/AA-01243/0/DHCP-4.2.8b1-Release-Notes.html
- TSIG-authenticated dynamic DNS updates now support the use of these additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512 [ISC-Bugs #36947]
1 man dnssec-keygen
Generate the key
- For HMAC lenght (-b) must be between 1 and 512 depending on the algorithm.
Random numbers are perceived per default for /dev/random, but you can also use /dev/urandom or keyboard
- HMAC-Algorithms are symmetric, so the .private and .key file contain both the same string.
1 dnssec-keygen -a HMAC-SHA512 -b 512 -n USER DHCP_UPDATER
Configure isc-dhcp-server
- algorithm (should be a FQDN with a terminating ".", but the configuration file parser will add both if you left them out.)
/etc/dhcp/dhcpd.conf
1 # dhcpd.conf
2 #
3 # Configuration file for ISC dhcpd for Debian
4 #
5
6 # The ddns-updates-style parameter controls whether or not the server will
7 # attempt to do a DNS update when a lease is confirmed. We default to the
8 # behavior of the version 2 packages ('none', since DHCP v2 didn't
9 # have support for DDNS.)
10 ddns-update-style standard; #Default none, standard, interim, ad-hoc no longer supported
11 ddns-updates on; #Default on
12 do-forward-updates on; #Default on
13 ### DO NOT PERFORM DNS UPDATES WITH EVERY RENEW (DISABLED DURING TESTING)
14 #update-optimization false; #Default on
15 update-static-leases on; #Default off
16 allow client-updates; #Default on
17 ### USE NAMES DECLARED IN STATIC HOST DECLARATIONS
18 ### DURING DDNS UPDATES INSTEAD OF CLIENT-PROVIDED DDNS-HOSTNAME
19 ### AND SEND THIS HOSTNAME TO CLIENT (USEFUL DURING INSTALLATIONS)
20 use-host-decl-names on; #Default unknown
21
22 default-lease-time 3600;
23 max-lease-time 14400;
24
25 # If this DHCP server is the official DHCP server for the local
26 # network, the authoritative directive should be uncommented.
27 authoritative;
28
29 # Use this to send dhcp log messages to a different log file (you also
30 # have to hack syslog.conf to complete the redirection).
31 log-facility local7;
32
33
34 ### DYNAMIC DNS SETUP
35 #key DHCP_UPDATER {
36 # algorithm HMAC-MD5.SIG-ALG.REG.INT.;
37 # secret "ShortMD5Secret";
38 #};
39
40 key DHCP_UPDATER {
41 algorithm HMAC-SHA512.SIG-ALG.REG.INT.;
42 secret LogSHA512Secret==;
43 };
44
45 ### ZONES
46
47 ### KVM2
48 zone 1a.rockstable.it. {
49 primary 127.0.0.1;
50 key DHCP_UPDATER;
51 }
52
53 zone 1n.rockstable.it. {
54 primary 127.0.0.1;
55 key DHCP_UPDATER;
56 }
57
58 zone 2a.rockstable.it. {
59 primary 127.0.0.1;
60 key DHCP_UPDATER;
61 }
62
63 zone 2n.rockstable.it. {
64 primary 127.0.0.1;
65 key DHCP_UPDATER;
66 }
67
68 ### FOR ARPA ZONES RANGES OR CIDR MAY BE ALSO USED LIKE
69 ###zone 0-255.18.172.in-addr.arpa. {
70 ###zone 64/24.18.172.in-addr.arpa. {
71 zone 0.18.172.in-addr.arpa. {
72 primary 127.0.0.1;
73 key DHCP_UPDATER;
74 }
75
76 zone 64.18.172.in-addr.arpa. {
77 primary 127.0.0.1;
78 key DHCP_UPDATER;
79 }
80
81 zone 128.18.172.in-addr.arpa. {
82 primary 127.0.0.1;
83 key DHCP_UPDATER;
84 }
85
86 zone 192.18.172.in-addr.arpa. {
87 primary 127.0.0.1;
88 key DHCP_UPDATER;
89 }
90
91 ###KVM2
92 group kvm2 {
93 option domain-name "rockstable.it";
94 option domain-name-servers ns3.rockstable.org, ns2.rockstable.org;
95 option domain-search "2n.rockstable.it", "2a.rockstable.it",
96 "1n.rockstable.it", "1a.rockstable.it",
97 "rockstable.it";
98
99 ### SUBNET DECLARATIONS
100 ### INTERFACE OVS-1A (VLAN 1000)
101 subnet 172.18.0.0 netmask 255.255.255.0 {
102 ddns-domainname "1a.rockstable.it";
103 range 172.18.0.128 172.18.0.254;
104 option domain-name "1a.rockstable.it";
105 option domain-name-servers router.1a.rockstable.it,
106 ns3.rockstable.org,
107 ns2.rockstable.org;
108 option routers router.1a.rockstable.it;
109 }
110
111 ### INTERFACE OVS-1N (VLAN 1500)
112 subnet 172.18.64.0 netmask 255.255.255.0 {
113 ddns-domainname "1n.rockstable.it";
114 range 172.18.64.128 172.18.64.254;
115 option domain-name "1n.rockstable.it";
116 option domain-name-servers router.1n.rockstable.it,
117 ns3.rockstable.org,
118 ns2.rockstable.org;
119 option routers router.1n.rockstable.it;
120 }
121
122 ### INTERFACE OVS-2A (VLAN 2000)
123 subnet 172.18.128.0 netmask 255.255.255.0 {
124 ddns-domainname "2a.rockstable.org";
125 range 172.18.128.128 172.18.128.254;
126 option domain-name "2a.rockstable.it";
127 option domain-name-servers router.2a.rockstable.it,
128 ns3.rockstable.org,
129 ns2.rockstable.org;
130 option routers router.2a.rockstable.it;
131 }
132
133 ### INTERFACE OVS-2N (VLAN 2500)
134 subnet 172.18.192.0 netmask 255.255.255.0 {
135 ddns-domainname "2n.rockstable.it";
136 range 172.18.192.128 172.18.192.254;
137 option domain-name "2n.rockstable.it";
138 option domain-name-servers router.2n.rockstable.it,
139 ns3.rockstable.org,
140 ns2.rockstable.org;
141 option routers router.2n.rockstable.it;
142 }
143
144 group 1n {
145 ddns-domainname "1n.rockstable.it";
146
147 ### HOST DECLARATIONS
148 ### GIT
149 host git1.1n {
150 hardware ethernet 52:54:00:00:00:01;
151 fixed-address 172.18.0.11;
152 }
153
154 #host git-run1.1n {
155 # hardware ethernet 52:54:00:00:00:02;
156 # fixed-address 172.18.72.21;
157 #}
158
159 #host git-run2.1n {
160 # hardware ethernet 52:54:00:00:00:03;
161 # fixed-address 172.18.72.22;
162 #}
163
164 host mx1.1n {
165 hardware ethernet 52:54:00:00:00:04;
166 fixed-address 172.18.0.41;
167 }
168
169 host wiki1.1n {
170 hardware ethernet 52:54:00:00:00:05;
171 fixed-address 172.18.0.31;
172 }
173
174 host www2.1n {
175 hardware ethernet 52:54:00:00:00:06;
176 fixed-address 172.18.0.32;
177 }
178 }
179 }
Some notes on dhcpd.conf
- Host-declarations should reside in global scope (not in subnet)
- Groups can be nested and inherit from each other.
For DDNS to work isc-dhcp-server needs information which zone a host is assigned to. This can be achieved by using ddns-domainname (may in a wrapping group). If dhcpd does not initiate a DNS update, it was probably notz able to find out which zone a host should be assigned to.
For statically defined hosts the client-specified ddns-hostname = gethostname() is superseeded by the name that was declared in host-declaration, if use-host-decl-names is enabled.
- There is no super debug-level, information in syslog is sufficient.
Check dhcpd.conf
Always check isc-dhcp-server config after a change!
1 dhcpd -t
List dynamic dhcp-leases
Unfortunately statically addressed leased cannot be displayed, as they are not stored in /var/lib/dhcp/dhcpd.leases.
To see interface-card manufacturer
1 dhcp-lease-list --all
2 Reading leases from /var/lib/dhcp/dhcpd.leases
3 MAC IP hostname valid until manufacturer
4 ===============================================================================================
5 52:54:00:00:00:01 172.18.0.128 -NA- 2019-07-01 14:56:57
6 52:54:00:00:00:02 172.18.0.129 -NA- 2019-07-01 18:27:46
Configure bind9
There is a small tool that can help to generate a ddns configuration for bind9
1 host # ddns-confgen
2 # To activate this key, place the following in named.conf, and
3 # in a separate keyfile on the system or systems from which nsupdate
4 # will be run:
5 key "ddns-key" {
6 algorithm hmac-sha256;
7 secret "GEFaX01eF/DdUicA+WQviHFq+airvu5w59sg3AA2LJ0=";
8 };
9
10 # Then, in the "zone" statement for each zone you wish to dynamically
11 # update, place an "update-policy" statement granting update permission
12 # to this key. For example, the following statement grants this key
13 # permission to update any name within the zone:
14 update-policy {
15 grant ddns-key zonesub ANY;
16 };
17
18 # After the keyfile has been placed, the following command will
19 # execute nsupdate using this key:
20 nsupdate -k <keyfile>
How isc-bind9 checks its algorithms: lib/bind9/check.c:2172:bind9_check_key
Configure named.conf.local
- so an algorithm with fqdn (like in dhcpd.conf) will not work
1 key DHCP_UPDATER {
2 algorithm HMAC-SHA512;
3 secret "KeyExtractedFromPrivateFile==";
4 };
5
6 zone "16.172.in-addr.arpa" {
7 type master;
8 file "/var/lib/bind/zones/db.16.172";
9 update-policy {
10 grant DHCP_UPDATER zonesub ANY;
11 };
12 allow-query { dmz; localhost; }; # { address_match_list };
13 allow-query-on { 172.17.0.1; localhost;}; # { address_match_list };
14 };
15
16 zone "17.172.in-addr.arpa" {
17 type master;
18 file "/var/lib/bind/zones/db.17.172";
19 update-policy {
20 grant DHCP_UPDATER zonesub ANY;
21 };
22 allow-query { inside; localhost; }; # { address_match_list };
23 allow-query-on { 172.17.0.1; localhost;}; # { address_match_list };
24 };
25
26 zone "dmz.rockstable.org" {
27 type master;
28 masterfile-format text; # (text|raw)
29 file "/var/lib/bind/zones/db.org.rockstable.dmz";
30 journal "/var/lib/bind/journal/db.org.rockstable.dmz.jnl"; # string ;
31 allow-query { dmz; inside; localhost; }; # { address_match_list };
32 allow-query-on { 172.16.0.1; 172.17.0.1; localhost;}; # { address_match_list };
33 update-policy {
34 grant DHCP_UPDATER zonesub ANY;
35 };
36 check-names warn; # (warn|fail|ignore) ;
37 check-mx warn; # (warn|fail|ignore) ;
38 check-wildcard yes; # yes_or_no;
39 check-integrity yes; # yes_or_no ;
40 notify yes; # yes_or_no | explicit | master-only ;
41 zone-statistics yes; # yes_or_no ;
42 };
43
44 zone "inside.rockstable.org" {
45 type master;
46 masterfile-format text; # (text|raw)
47 file "/var/lib/bind/zones/db.org.rockstable.inside"; # string ;
48 journal "/var/lib/bind/journal/db.org.rockstable.inside.jnl"; # string ;
49 update-policy {
50 grant DNS_REPLICATOR zonesub ANY;
51 grant DHCP_UPDATER zonesub ANY;
52 };
53 allow-query { inside; localhost; }; # { address_match_list };
54 allow-query-on { 172.17.0.1; localhost;}; # { address_match_list };
55 check-names warn; # (warn|fail|ignore) ;
56 check-mx warn; # (warn|fail|ignore) ;
57 check-wildcard yes; # yes_or_no;
58 check-integrity yes; # yes_or_no ;
59 notify yes; # yes_or_no | explicit | master-only ;
60 zone-statistics yes; # yes_or_no ;
61 };
Check bind9 config
1 named-checkconf
This is an excerpt of what i have in my /etc/bind/named.conf.logging concerning ddns updates:
Test
Attach to logs
1 tail -f /var/log/dhcpd.log /var/log/bind/update-debug.log
Restart services
You can raise the loglevel during the tests
Test it by releasing ip from interface and requesting a new dhcp-lease
And it works even with the long SHA2 signatures.
1 20-Jul-2017 23:30:25.712 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
2 20-Jul-2017 23:30:25.712 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update failed: rejected by secure update (REFUSED)
3 20-Jul-2017 23:30:25.712 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': rolling back
4 20-Jul-2017 23:30:30.625 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
5 20-Jul-2017 23:30:30.626 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update failed: rejected by secure update (REFUSED)
6 20-Jul-2017 23:30:30.626 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': rolling back
7 20-Jul-2017 23:30:30.791 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
8 20-Jul-2017 23:30:30.791 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update failed: rejected by secure update (REFUSED)
9 20-Jul-2017 23:30:30.791 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': rolling back
10 20-Jul-2017 23:33:12.116 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
11 20-Jul-2017 23:33:12.116 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update failed: rejected by secure update (REFUSED)
12 20-Jul-2017 23:33:12.116 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': rolling back
13 20-Jul-2017 23:36:24.076 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
14 20-Jul-2017 23:36:24.076 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update section prescan OK
15 20-Jul-2017 23:36:24.076 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': adding an RR at 'www1.inside.rockstable.org' A 172.17.181.143
16 20-Jul-2017 23:36:24.076 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': adding an RR at 'www1.inside.rockstable.org' TXT "0041e742142b95b84c48c66835a0bf3e6b"
17 20-Jul-2017 23:36:24.076 update: debug 3: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': checking for NSEC3PARAM changes
18 20-Jul-2017 23:36:24.076 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': writing journal /var/lib/bind/journal/db.org.rockstable.inside.jnl
19 20-Jul-2017 23:36:24.223 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': committing update transaction
20 20-Jul-2017 23:36:24.265 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': prerequisites are OK
21 20-Jul-2017 23:36:24.265 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': update section prescan OK
22 20-Jul-2017 23:36:24.265 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': deleting rrset at '143.181.17.172.in-addr.arpa' PTR
23 20-Jul-2017 23:36:24.265 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': adding an RR at '143.181.17.172.in-addr.arpa' PTR www1.inside.rockstable.org.
24 20-Jul-2017 23:36:24.265 update: debug 3: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': checking for NSEC3PARAM changes
25 20-Jul-2017 23:36:24.265 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': writing journal /var/lib/bind/zones/db.17.172.jnl
26 20-Jul-2017 23:36:24.437 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': committing update transaction
27 21-Jul-2017 00:02:07.954 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update unsuccessful: www1.inside.rockstable.org: 'name not in use' prerequisite not satisfied (YXDOMAIN)
28 21-Jul-2017 00:02:07.954 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': rolling back
29 21-Jul-2017 00:02:08.014 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': prerequisites are OK
30 21-Jul-2017 00:02:08.014 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': update section prescan OK
31 21-Jul-2017 00:02:08.014 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': deleting rrset at 'www1.inside.rockstable.org' A
32 21-Jul-2017 00:02:08.014 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': adding an RR at 'www1.inside.rockstable.org' A 172.17.128.1
33 21-Jul-2017 00:02:08.014 update: debug 3: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': checking for NSEC3PARAM changes
34 21-Jul-2017 00:02:08.014 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': writing journal /var/lib/bind/journal/db.org.rockstable.inside.jnl
35 21-Jul-2017 00:02:08.108 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone 'inside.rockstable.org/IN': committing update transaction
36 21-Jul-2017 00:02:08.109 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': prerequisites are OK
37 21-Jul-2017 00:02:08.109 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': update section prescan OK
38 21-Jul-2017 00:02:08.109 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': deleting rrset at '1.128.17.172.in-addr.arpa' PTR
39 21-Jul-2017 00:02:08.109 update: info: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': adding an RR at '1.128.17.172.in-addr.arpa' PTR www1.inside.rockstable.org.
40 21-Jul-2017 00:02:08.109 update: debug 3: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': checking for NSEC3PARAM changes
41 21-Jul-2017 00:02:08.109 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': writing journal /var/lib/bind/zones/db.17.172.jnl
42 21-Jul-2017 00:02:08.195 update: debug 8: client 127.0.0.1#7440/key dhcp_updater: updating zone '17.172.in-addr.arpa/IN': committing update transaction