Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP DNS registration on FreeIPA

    Scheduled Pinned Locked Moved DHCP and DNS
    21 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonix66
      last edited by

      Many Thanks @kiokoman,

      I will try that tomorrow, not that I’m doubting the information, but isn’t DDNS is designed for updating Public DNS?

      Thanks again.

      P 1 Reply Last reply Reply Quote 0
      • P
        Phonix66 @Phonix66
        last edited by

        @Phonix66
        Ok, have been reading this here:
        https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html

        makes sense!
        Will apply ASAP.

        Thx

        1 Reply Last reply Reply Quote 0
        • P
          Phonix66 @kiokoman
          last edited by

          Thanks, @kiokoman

          I have completed all as advised.
          I cannot tell if it's really working since I don't see a difference to the state I had before.
          What I can surly see is the following, on the FreeIPA I see that no DNS records are being automatically created on the server (nor A or reverse).
          That makes me believe that something isn't being registered as suppose to.

          KR,

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            you need to check named logs, you should see something like

            02-Oct-2020 13:02:52.314 client @0x7ff3d81c3850 172.16.0.254#25129/key rndc-key: view trusted: updating zone 'trmultiservice.lab/IN': deleting rrset at 'PC-PRINK.trmultiservice.lab' TXT
            02-Oct-2020 13:02:52.314 client @0x7ff3d81c3850 172.16.0.254#25129/key rndc-key: view trusted: updating zone 'trmultiservice.lab/IN': adding an RR at 'PC-PRINK.trmultiservice.lab' TXT "31329b13b011cd42487cdf165ec99d3832"
            02-Oct-2020 13:02:52.314 client @0x7ff3d81c3850 172.16.0.254#25129/key rndc-key: view trusted: updating zone 'trmultiservice.lab/IN': deleting rrset at 'PC-PRINK.trmultiservice.lab' A
            02-Oct-2020 13:02:52.314 client @0x7ff3d81c3850 172.16.0.254#25129/key rndc-key: view trusted: updating zone 'trmultiservice.lab/IN': adding an RR at 'PC-PRINK.trmultiservice.lab' A 192.168.1.13
            02-Oct-2020 13:02:52.322 client @0x7ff3d81c3850 172.16.0.254#33543/key rndc-key: view trusted: updating zone '1.168.192.IN-ADDR.ARPA/IN': deleting rrset at '13.1.168.192.in-addr.arpa' PTR
            02-Oct-2020 13:02:52.322 client @0x7ff3d81c3850 172.16.0.254#33543/key rndc-key: view trusted: updating zone '1.168.192.IN-ADDR.ARPA/IN': adding an RR at '13.1.168.192.in-addr.arpa' PTR PC-PRINK.trmultiservice.lab.
            

            where 172.16.0.254 is my pfsense.

            be sure you have -> include "/path/to/rndc.key"; inside your named.conf,
            check acl to be sure your pfsense is trusted by bind9
            you need to manually create the zone files, they will not be automagically generated by bind
            if you have set everything on pfsense as I said earlier you need to configure bind to receive it. maybe ask FreeIPA forum about that

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            P 1 Reply Last reply Reply Quote 1
            • P
              Phonix66 @kiokoman
              last edited by

              @kiokoman Thanks for the quick reply. 😄

              First I am unable to add the "/path/to/rndc.key", here Pfsense will not accept anything else then"rndc-key", adding the "/path/to/rndc.key", throws this error:
              The following input errors were detected:
              The domain key name may only contain the characters a-z, A-Z, 0-9, '-' and '_'

              My file on the BIND server is at "/etc/rndc.key".

              Also looking into the logs on the BIND server, and comparing to your logs, I get:
              02-Oct-2020 13:21:16.571 client @0x7f784c0ce650 192.168.6.254#44662: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 13:25:17.450 client @0x7f78384cdef0 192.168.6.254#43356: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 13:25:21.403 client @0x7f7838295ef0 192.168.6.254#38503: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 13:28:35.301 client @0x7f783c293a00 192.168.6.254#33923: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 14:03:33.533 client @0x7f78380a0940 192.168.6.254#59003: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 14:10:26.461 client @0x7f784c0ce650 192.168.6.254#18281: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 14:16:53.216 client @0x7f7838295ef0 192.168.6.254#59198: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 14:25:14.917 client @0x7f78383ac9d0 192.168.6.254#38966: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              02-Oct-2020 14:25:21.406 client @0x7f784c0bfa80 192.168.6.254#10953: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
              where 192.168.0.254 is my pfsense (This Vlan interface for that zone)

              I was looking into FreeIPA documentation and there is no GUI option for the bind server, it's just as any CLI bind configuration.
              I believe that the rdnc.key the secret key is not being interpreted correctly by the DHCP server, but I'm quite lost at the moment...

              Thanks,

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by kiokoman

                include "/path/to/rndc.key"
                

                -> go inside named.conf on freeipa

                tsig verify failure (BADKEY)
                

                the key inside pfsense and the one inside rndc.key are not the same

                Immagine.jpg

                DNS Domain key secret must match what you have on freeipa inside rndc.key

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • P
                  Phonix66
                  last edited by Phonix66

                  I went into the named.conf on freeipa and added the:

                  include "/etc/rndc.key"
                  

                  unfortunately It didn't work, bind was not working after.

                  Otherwise I have set all the settings as you did, I have taken the key for theDNS Domain key secret from the rndc.key on the FreeIPA server.

                  Where should I put the?:

                  include "/etc/rndc.key"
                  

                  Here is how my /etc/named.conf looks like:
                  named-conf.txt

                  Unfortunately it didn't work

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by kiokoman

                    under

                    include "/etc/named.rfc1912.zones";
                    include "/etc/named.root.key";
                    

                    did you forgot the

                    ;
                    

                    at the end perhaps?

                    include "/etc/rndc.key";
                    

                    check the logs if it does not start, it will tell you why

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    P 1 Reply Last reply Reply Quote 1
                    • P
                      Phonix66 @kiokoman
                      last edited by

                      @kiokoman

                      Ok, I added all the info as you suggested.
                      It seems like we making progress, but now I get the following:

                      02-Oct-2020 18:38:49.677 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone D.F.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone 8.E.F.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone 9.E.F.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone A.E.F.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone B.E.F.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.677 zone EMPTY.AS112.ARPA/IN: shutting down
                      02-Oct-2020 18:38:49.688 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
                      02-Oct-2020 18:38:49.695 LDAP configuration for instance 'ipa' synchronized
                      02-Oct-2020 18:38:49.718 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded'
                      02-Oct-2020 18:38:49.808 zone 2.168.192.in-addr.arpa/IN: loaded serial 1601656729
                      02-Oct-2020 18:38:49.808 zone 6.168.192.in-addr.arpa/IN: loaded serial 1601656729
                      02-Oct-2020 18:38:49.809 zone int.example.com/IN: loaded serial 1601656729
                      02-Oct-2020 18:38:49.809 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 failed to load)
                      02-Oct-2020 18:38:49.809 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 18:38:49.809 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 18:38:49.809 zone int.example.com/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 18:38:54.812 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 18:38:54.812 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 18:38:54.812 zone int.example.com/IN: sending notifies (serial 1601656729)
                      02-Oct-2020 16:41:15.900 client @0x7f7a300ce650 192.168.6.254#37316/key rndc-key: updating zone 'int.example.com/IN': update failed: rejected by secure update (REFUSED)
                      

                      It seems that my reverse zones are replicating from the server without manually adding them (I added them on the GUI).
                      But I don't know why I get refused, I used the right secret from the rdnc.key file:

                      [root@ipa-dctrl1 ~]# cat /etc/rndc.key
                      key "rndc-key" {
                              algorithm hmac-sha256;
                              secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
                      };
                      

                      I also seen the permission on the file are ok:
                      [root@ipa-dctrl1 ~]# ls -l /etc/rndc.key
                      -rw-r-----. 1 root named 100 Sep 30 18:45 /etc/rndc.key

                      Thanks,

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by kiokoman

                        @kiokoman said in DHCP DNS registration on FreeIPA:

                        allow-update { key rndc-key; };

                        ^
                        it's inside your zone definition int.example.com ?

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          Phonix66 @kiokoman
                          last edited by

                          @kiokoman

                          I have set dynamic updates on the FreeIPA GUI to "dynamic updates": Screenshot 2020-10-02 at 17.32.45.png.

                          So I don't know if I can change this anymore, should I put this line into the named.conf file?
                          looking into this info I think it's not possible anymore:
                          https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update

                          THX

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK
                            kiokoman LAYER 8
                            last edited by kiokoman

                            that's why i generally don't like webgui for this stuff
                            ok ,so freeipa use Update Policies
                            https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies

                            you need

                            grant "rndc-key" zonesub ANY;
                            

                            or something like that

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            P 1 Reply Last reply Reply Quote 1
                            • P
                              Phonix66 @kiokoman
                              last edited by

                              @kiokoman
                              Should I insert it to the named.conf under include "/etc/rndc.key"; ?

                              1 Reply Last reply Reply Quote 0
                              • kiokomanK
                                kiokoman LAYER 8
                                last edited by kiokoman

                                no, you can put it in the gui inside
                                BIND update policy
                                or it go inside

                                update-policy {  };
                                

                                inside named.conf

                                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                Please do not use chat/PM to ask for help
                                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                1 Reply Last reply Reply Quote 1
                                • P
                                  Phonix66
                                  last edited by

                                  @kiokoman said in DHCP DNS registration on FreeIPA:

                                  grant "rndc-key" zonesub ANY

                                  IT WORKED! YOUR THE GREATEST!

                                  Will add the details later on.😊 👍

                                  1 Reply Last reply Reply Quote 0
                                  • kiokomanK
                                    kiokoman LAYER 8
                                    last edited by

                                    nice ! 👍

                                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                    Please do not use chat/PM to ask for help
                                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                    1 Reply Last reply Reply Quote 1
                                    • P
                                      Phonix66
                                      last edited by

                                      @kiokoman said in DHCP DNS registration on FreeIPA:

                                      grant "rndc-key" zonesub ANY;

                                      I just added the:

                                      grant "rndc-key" zonesub ANY;
                                      

                                      In to the update policy in the GUI, and it works, I see that the A records are automatically updated.
                                      In regards of the reverse records, I didn’t have the time to check, but now I believe that this can easily be resolved by repeating the procedure also for reverse records.

                                      Thanks again 😊👍

                                      1 Reply Last reply Reply Quote 0
                                      • kiokomanK
                                        kiokoman LAYER 8
                                        last edited by

                                        yes, you just need to create the reverse zone

                                        zone "1.168.192.IN-ADDR.ARPA" IN {
                                                type master;
                                                file "/etc/bind/internal/reverse-192.168.1";
                                                allow-update { key rndc-key; };
                                        
                                            };
                                        

                                        the same options are available under "dhcpv6 server & RA"

                                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                        Please do not use chat/PM to ask for help
                                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                        P 1 Reply Last reply Reply Quote 0
                                        • P
                                          Phonix66 @kiokoman
                                          last edited by Phonix66

                                          @kiokoman

                                          So, the reverse records have not been created as I suspected.

                                          I have just added the same line to the reverse zone using the GUI to the bond update policy (same as done before with the forward zone):

                                          grant "rndc-key" zonesub ANY;
                                          

                                          With the “; “ after the last command, and it’s also working, reverse records are also being automatically registered from Pfsense DHCP.

                                          👍

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.