DHCP DNS registration on FreeIPA

Phonix66

I went into the named.conf on freeipa and added the:

include "/etc/rndc.key"

unfortunately It didn't work, bind was not working after.

Otherwise I have set all the settings as you did, I have taken the key for theDNS Domain key secret from the rndc.key on the FreeIPA server.

Where should I put the?:

include "/etc/rndc.key"

Here is how my /etc/named.conf looks like:
named-conf.txt

Unfortunately it didn't work

kiokoman

under

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

did you forgot the

at the end perhaps?

include "/etc/rndc.key";

check the logs if it does not start, it will tell you why

Phonix66

@kiokoman

Ok, I added all the info as you suggested.
It seems like we making progress, but now I get the following:

02-Oct-2020 18:38:49.677 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone D.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 9.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone A.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone B.E.F.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
02-Oct-2020 18:38:49.677 zone EMPTY.AS112.ARPA/IN: shutting down
02-Oct-2020 18:38:49.688 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
02-Oct-2020 18:38:49.695 LDAP configuration for instance 'ipa' synchronized
02-Oct-2020 18:38:49.718 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded'
02-Oct-2020 18:38:49.808 zone 2.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.808 zone 6.168.192.in-addr.arpa/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 zone int.example.com/IN: loaded serial 1601656729
02-Oct-2020 18:38:49.809 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 failed to load)
02-Oct-2020 18:38:49.809 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:49.809 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 2.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone 6.168.192.in-addr.arpa/IN: sending notifies (serial 1601656729)
02-Oct-2020 18:38:54.812 zone int.example.com/IN: sending notifies (serial 1601656729)
02-Oct-2020 16:41:15.900 client @0x7f7a300ce650 192.168.6.254#37316/key rndc-key: updating zone 'int.example.com/IN': update failed: rejected by secure update (REFUSED)

It seems that my reverse zones are replicating from the server without manually adding them (I added them on the GUI).
But I don't know why I get refused, I used the right secret from the rdnc.key file:

[root@ipa-dctrl1 ~]# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-sha256;
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

I also seen the permission on the file are ok:
[root@ipa-dctrl1 ~]# ls -l /etc/rndc.key
-rw-r-----. 1 root named 100 Sep 30 18:45 /etc/rndc.key

Thanks,

kiokoman

@kiokoman said in DHCP DNS registration on FreeIPA:

allow-update { key rndc-key; };

^
it's inside your zone definition int.example.com ?

Phonix66

@kiokoman

I have set dynamic updates on the FreeIPA GUI to "dynamic updates": Screenshot 2020-10-02 at 17.32.45.png .

So I don't know if I can change this anymore, should I put this line into the named.conf file?
looking into this info I think it's not possible anymore:
https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update

THX

kiokoman

that's why i generally don't like webgui for this stuff
ok ,so freeipa use Update Policies
https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies

you need

grant "rndc-key" zonesub ANY;

or something like that

Phonix66

@kiokoman
Should I insert it to the named.conf under include "/etc/rndc.key"; ?

kiokoman

no, you can put it in the gui inside
BIND update policy
or it go inside

update-policy {  };

inside named.conf

Phonix66

@kiokoman said in DHCP DNS registration on FreeIPA:

grant "rndc-key" zonesub ANY

IT WORKED! YOUR THE GREATEST!

Will add the details later on.

kiokoman

nice !

Phonix66

@kiokoman said in DHCP DNS registration on FreeIPA:

grant "rndc-key" zonesub ANY;

I just added the:

grant "rndc-key" zonesub ANY;

In to the update policy in the GUI, and it works, I see that the A records are automatically updated.
In regards of the reverse records, I didn’t have the time to check, but now I believe that this can easily be resolved by repeating the procedure also for reverse records.

Thanks again

kiokoman

yes, you just need to create the reverse zone

zone "1.168.192.IN-ADDR.ARPA" IN {
        type master;
        file "/etc/bind/internal/reverse-192.168.1";
        allow-update { key rndc-key; };

    };

the same options are available under "dhcpv6 server & RA"

Phonix66

@kiokoman

So, the reverse records have not been created as I suspected.

I have just added the same line to the reverse zone using the GUI to the bond update policy (same as done before with the forward zone):

grant "rndc-key" zonesub ANY;

With the “; “ after the last command, and it’s also working, reverse records are also being automatically registered from Pfsense DHCP.