Ich habe einen kleinen Server für dynamisches DHCP konfiguriert (DHCP aktualisiert automatisch den Hostnamen auf DNS). Funktioniert einwandfrei, aber einer der A-Einträge verschwindet auf magische Weise, während der PTR-Eintrag in Ordnung ist. Das ist meine Konfiguration
dhcpd.conf
authoritative;
ddns-update-style interim;
ddns-updates on;
ddns-ttl 600;
update-static-leases on;
ddns-domainname "mydomain.example";
ddns-rev-domainname "in-addr.arpa";
ignore client-updates;
update-conflict-detection off;
include "/etc/dhcp/dhcp.mydomain.example";
ddns-hostname = pick-first-value(ddns-hostname, option host-name, binary-to-ascii(10,8, "-", leased-address));
max-lease-time 86400;
default-lease-time 14400;
option domain-name-servers 192.168.0.4, 192.168.0.1;
option domain-search-order code 119 = string;
option domain-search-order "mydomain.example fritz.box";
subnet 192.168.0.0 netmask 255.255.255.0 {
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
option domain-search "mydomain.example";
class "ignored" {
match if substring(hardware,1,6) = ###################;
}
pool {
deny members of "ignored";
range 192.168.0.20 192.168.0.252;
}
}
#
#
# The subnet where the server is attached
host samba4 {
hardware ethernet #####################;
fixed-address 192.168.0.5;
ddns-hostname "samba4";
ddns-ttl 604800;
}
zone mydomain.example.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}
zone 0.168.192.in-addr.arpa.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}
dies ist die named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.4; };
listen-on-v6 port 53 { ::1; };
querylog yes;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; 10.2.0.0/24;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
allow-new-zones yes;
dnssec-must-be-secure "mydomain.example" yes;
dnssec-must-be-secure "0.168.192.in-addr.arpa" yes;
allow-transfer {127.0.0.1; };
allow-recursion {127.0.0.1; 192.168.0.0/24; 10.2.0.24; };
version "Proot";
tkey-gssapi-keytab "/etc/dns.keytab";
tkey-domain "MYDOMAIN.EXAMPLE";
};
server 10.3.0.2 {
keys { my-tsig; };
};
key dhcp.mydomain.example {
algorithm hmac-sha512;
secret "################";
};
key "my-tsig" {
algorithm HMAC-SHA512;
secret "################";
};
key "my-tsig2" {
algorithm HMAC-SHA512;
secret "################";
};
controls {
inet 192.168.0.4 port 953 allow { 192.168.0.4; 127.0.0.1; } keys { dhcp.mydomain.example; };
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dhcp.mydomain.example; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.example." IN {
type master;
file "/var/named/data/mydomain.example.zone";
allow-transfer {key my-tsig2; };
update-policy {
grant dhcp.mydomain.example. wildcard * A TXT SRV CNAME MX DHCID;
grant [email protected] wildcard * A AAAA TXT SRV CNAME MX;
grant [email protected] wildcard * A AAAA TXT SRV CNAME MX;
grant [email protected] wildcard * A TXT SRV CNAME MX;
};
key-directory "/var/named/data";
auto-dnssec maintain;
inline-signing yes;
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
#include "/var/lib/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/named/data/0.168.192.in-addr.arpa";
allow-transfer {key my-tsig2; };
update-policy {
grant dhcp.mydomain.example. wildcard * PTR;
grant [email protected] wildcard * PTR;
grant [email protected] wildcard * PTR;
grant [email protected] wildcard * PTR;
};
auto-dnssec maintain;
key-directory "/var/named/data";
inline-signing yes;
};
zone "otherzone.priv." IN {
type slave;
masters {10.3.0.2; };
file "/var/named/data/otherzone.priv.zone";
key-directory "/var/named/data";
auto-dnssec maintain;
inline-signing yes;
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
#include "/var/lib/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
zone "0.3.10.in-addr.arpa" {
type slave;
file "/var/named/data/0.3.10.in-addr.arpa.zone";
masters {10.3.0.2; };
auto-dnssec maintain;
key-directory "/var/named/data";
inline-signing yes;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Auf dem Protokoll nichts seltsames, ein grep in dem benannten datadir, scheint mein A lost Datensatz vorhanden zu sein, aber dig sagte nein
grep -irl disappeared.mydomain.example *
0.168.192.in-addr.arpa
0.168.192.in-addr.arpa.signed
mydomain.example.zone.jnl
mydomain.example.zone.signed
mydomain.example.zone.signed.jnl
dig verschwand.meinedomain.beispiel
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> disappeared.mydomain.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 192
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 172e90668acc5f522b6add4b617edbeb3909928cefd32999 (good)
;; QUESTION SECTION:
;disappeared.mydomain.example. IN A
;; AUTHORITY SECTION:
mydomain.example. 86400 IN SOA dns1.mydomain.example. root.mydomain.example. 2020140075 60 120 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Sun Oct 31 19:09:47 CET 2021
;; MSG SIZE rcvd: 123
dig -x 192.168.0.32 gibt den richtigen Namen zurück. Was kann das sein? Ich sehe, dass ich die Lease manuell aus der Datei dhcpd.leases entferne und networkmanager vom Client aus neu starte, um den richtigen A-Eintrag erneut einzufügen.
Antwort1
Diese Lösung scheint zu funktionieren:
ddns-ttl 600;
default-lease-time 14400;
Sind ein bisschen anders
Ich versuche, für beide den gleichen Wert zu verwenden
ddns-ttl 600;
default-lease-time 600;
Funktioniert, aber ich musste die Leasingdatei neu erstellen.