Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP DNS registration on FreeIPA

    Scheduled Pinned Locked Moved DHCP and DNS
    21 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonix66 @kiokoman
      last edited by

      @kiokoman

      Ok, I added all the info as you suggested.
      It seems like we making progress, but now I get the following:

      02-Oct-2020 18:38:49.677 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone D.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 9.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone A.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone B.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone EMPTY.AS112.ARPA/IN: shutting down
02-Oct-2020 18:38:49.688 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
02-Oct-2020 18:38:49.695 LDAP configuration for instance 'ipa' synchronized
02-Oct-2020 18:38:49.718 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded'
02-Oct-2020 18:38:49.808 zone 2.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.808 zone 6.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 zone int.example.com/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 failed to load)
02-Oct-2020 18:38:49.809 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 16:41:15.900 client @0x7f7a300ce650 192.168.6.254#37316/key rndc-key: updating zone 'int.example.com/IN': update failed: rejected by secure update (REFUSED)

      It seems that my reverse zones are replicating from the server without manually adding them (I added them on the GUI).
      But I don't know why I get refused, I used the right secret from the rdnc.key file:

      [root@ipa-dctrl1 ~]# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-sha256;
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

      I also seen the permission on the file are ok:
      [root@ipa-dctrl1 ~]# ls -l /etc/rndc.key
      -rw-r-----. 1 root named 100 Sep 30 18:45 /etc/rndc.key

      Thanks,

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        @kiokoman said in DHCP DNS registration on FreeIPA:

        allow-update { key rndc-key; };

        ^
        it's inside your zone definition int.example.com ?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        P 1 Reply Last reply Reply Quote 0
        • P
          Phonix66 @kiokoman
          last edited by

          @kiokoman

          I have set dynamic updates on the FreeIPA GUI to "dynamic updates": Screenshot 2020-10-02 at 17.32.45.png.

          So I don't know if I can change this anymore, should I put this line into the named.conf file?
          looking into this info I think it's not possible anymore:
          https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update

          THX

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            that's why i generally don't like webgui for this stuff
            ok ,so freeipa use Update Policies
            https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies

            you need

            grant "rndc-key" zonesub ANY;

            or something like that

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            P 1 Reply Last reply Reply Quote 1
            • P
              Phonix66 @kiokoman
              last edited by

              @kiokoman
              Should I insert it to the named.conf under include "/etc/rndc.key"; ?

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by kiokoman

                no, you can put it in the gui inside
                BIND update policy
                or it go inside

                update-policy {  };

                inside named.conf

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 1
                • P
                  Phonix66
                  last edited by

                  @kiokoman said in DHCP DNS registration on FreeIPA:

                  grant "rndc-key" zonesub ANY

                  IT WORKED! YOUR THE GREATEST!

                  Will add the details later on.😊 👍

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    nice ! 👍

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 1
                    • P
                      Phonix66
                      last edited by

                      @kiokoman said in DHCP DNS registration on FreeIPA:

                      grant "rndc-key" zonesub ANY;

                      I just added the:

                      grant "rndc-key" zonesub ANY;

                      In to the update policy in the GUI, and it works, I see that the A records are automatically updated.
                      In regards of the reverse records, I didn’t have the time to check, but now I believe that this can easily be resolved by repeating the procedure also for reverse records.

                      Thanks again 😊👍

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by

                        yes, you just need to create the reverse zone

                        zone "1.168.192.IN-ADDR.ARPA" IN {
        type master;
        file "/etc/bind/internal/reverse-192.168.1";
        allow-update { key rndc-key; };

    };

                        the same options are available under "dhcpv6 server & RA"

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          Phonix66 @kiokoman
                          last edited by Phonix66

                          @kiokoman

                          So, the reverse records have not been created as I suspected.

                          I have just added the same line to the reverse zone using the GUI to the bond update policy (same as done before with the forward zone):

                          grant "rndc-key" zonesub ANY;

                          With the “; “ after the last command, and it’s also working, reverse records are also being automatically registered from Pfsense DHCP.

                          👍

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.