DHCP DNS registration on FreeIPA

kiokoman

include "/path/to/rndc.key"

-> go inside named.conf on freeipa

tsig verify failure (BADKEY)

the key inside pfsense and the one inside rndc.key are not the same

DNS Domain key secret must match what you have on freeipa inside rndc.key

Phonix66

I went into the named.conf on freeipa and added the:

include "/etc/rndc.key"

unfortunately It didn't work, bind was not working after.

Otherwise I have set all the settings as you did, I have taken the key for theDNS Domain key secret from the rndc.key on the FreeIPA server.

Where should I put the?:

include "/etc/rndc.key"

Here is how my /etc/named.conf looks like:
named-conf.txt

Unfortunately it didn't work

kiokoman

under

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

did you forgot the

at the end perhaps?

include "/etc/rndc.key";

check the logs if it does not start, it will tell you why

Phonix66

@kiokoman

Ok, I added all the info as you suggested.
It seems like we making progress, but now I get the following:

02-Oct-2020 18:38:49.677 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone D.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 9.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone A.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone B.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone EMPTY.AS112.ARPA/IN: shutting down
02-Oct-2020 18:38:49.688 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
02-Oct-2020 18:38:49.695 LDAP configuration for instance 'ipa' synchronized
02-Oct-2020 18:38:49.718 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded'
02-Oct-2020 18:38:49.808 zone 2.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.808 zone 6.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 zone int.example.com/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 failed to load)
02-Oct-2020 18:38:49.809 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 16:41:15.900 client @0x7f7a300ce650 192.168.6.254#37316/key rndc-key: updating zone 'int.example.com/IN': update failed: rejected by secure update (REFUSED)

It seems that my reverse zones are replicating from the server without manually adding them (I added them on the GUI).
But I don't know why I get refused, I used the right secret from the rdnc.key file:

[root@ipa-dctrl1 ~]# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-sha256;
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

I also seen the permission on the file are ok:
[root@ipa-dctrl1 ~]# ls -l /etc/rndc.key
-rw-r-----. 1 root named 100 Sep 30 18:45 /etc/rndc.key

Thanks,

kiokoman

@kiokoman said in DHCP DNS registration on FreeIPA:

allow-update { key rndc-key; };

^
it's inside your zone definition int.example.com ?

Phonix66

@kiokoman

I have set dynamic updates on the FreeIPA GUI to "dynamic updates": Screenshot 2020-10-02 at 17.32.45.png .

So I don't know if I can change this anymore, should I put this line into the named.conf file?
looking into this info I think it's not possible anymore:
https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update

THX

kiokoman

that's why i generally don't like webgui for this stuff
ok ,so freeipa use Update Policies
https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies

you need

grant "rndc-key" zonesub ANY;

or something like that

Phonix66

@kiokoman
Should I insert it to the named.conf under include "/etc/rndc.key"; ?

kiokoman

no, you can put it in the gui inside
BIND update policy
or it go inside

update-policy {  };

inside named.conf

Phonix66

@kiokoman said in DHCP DNS registration on FreeIPA:

grant "rndc-key" zonesub ANY

IT WORKED! YOUR THE GREATEST!

Will add the details later on.

kiokoman

nice !

Phonix66

@kiokoman said in DHCP DNS registration on FreeIPA:

grant "rndc-key" zonesub ANY;

I just added the:

grant "rndc-key" zonesub ANY;

In to the update policy in the GUI, and it works, I see that the A records are automatically updated.
In regards of the reverse records, I didn’t have the time to check, but now I believe that this can easily be resolved by repeating the procedure also for reverse records.

Thanks again

kiokoman

yes, you just need to create the reverse zone

zone "1.168.192.IN-ADDR.ARPA" IN {
        type master;
        file "/etc/bind/internal/reverse-192.168.1";
        allow-update { key rndc-key; };

    };

the same options are available under "dhcpv6 server & RA"

Phonix66

@kiokoman

So, the reverse records have not been created as I suspected.

I have just added the same line to the reverse zone using the GUI to the bond update policy (same as done before with the forward zone):

grant "rndc-key" zonesub ANY;

With the “; “ after the last command, and it’s also working, reverse records are also being automatically registered from Pfsense DHCP.