DHCP and dynamic update



  • Something weird happened with my pfsense router. I configured the secure DNS update on the pfsense device, configured namekey, key and whatnot… at first it was working and I'm pretty sure I checked the dhcp.conf and saw the key and stuff in it. Today I noticed my BIND server was complaining about client updates denied. WTF, I thought, so I checked the dhcp.conf on the pfsense device and with my big surprise it doesn't contain any key and namekey... just:

    
    option domain-name "intranet.dol";
    option ldap-server code 95 = text;
    option domain-search-list code 119 = text;
    option arch code 93 = unsigned integer 16; # RFC4578
    
    default-lease-time 7200;
    max-lease-time 86400;
    log-facility local7;
    one-lease-per-client true;
    deny duplicates;
    ping-check true;
    update-conflict-detection false;
    authoritative;
    subnet 192.168.0.0 netmask 255.255.255.0 {
            pool {
                    option domain-name-servers 192.168.0.1,192.168.0.29;
                    ddns-update-style interim;
                    range 192.168.0.128 192.168.0.200;
            }
    
            option routers 192.168.0.99;
            option domain-name "intranet.zol";
            option domain-search "intranet.zol";
            ddns-domainname "intranet.zol";
            option domain-name-servers 192.168.0.1,192.168.0.29;
            option ntp-servers 192.168.0.1;
    
    }
    
    ddns-update-style interim;
    update-static-leases on;
    zone intranet.zol. {
            primary 192.168.0.1;
    }
    zone 99.168.192.in-addr.arpa {
            primary 192.168.0.1;
    }
    
    

    I tried saving the configuration from the web UI but it's not adding any of the parameter I put under Dynamic DNS.

    I resorted to allowing updates based on IP address for now, but BIND is complaining that's not secure, and rightly so.

    Any ideas? Am I nuts and the key is not saved in /var/dhcpd/etc/dhcpd.conf? But now then, why have the dynamic updates stopped working?

    I'm running 2.2.6-RELEASE (i386) if that's of any help.

    Thanks,
    Davide

    This is the thingy, in case you know, someone was wondering:
    http://varia-store.com/Ready-Systems/pfSense/Ready-system-with-ALIX-2D13-accessories-and-pfSense-Software::886.html



  • There was a bug with that recently I fixed in 2.3. It only populated the keys properly if the last enabled instance of the DHCP server had them set. Guessing maybe you enabled the DHCP server on a second LAN interface and don't have the keys defined there so it's now omitting them. Setting them on that additional DHCP server instance will work around.



  • @cmb:

    There was a bug with that recently I fixed in 2.3. It only populated the keys properly if the last enabled instance of the DHCP server had them set. Guessing maybe you enabled the DHCP server on a second LAN interface and don't have the keys defined there so it's now omitting them. Setting them on that additional DHCP server instance will work around.

    Something like that, I added by mistake an option to the first interface, a WAN, and since then it is apparently using only the key I put on that IF. I worked around it putting the key there. Apparently it doesn't matter if DHCP is not enabled on the IF as long as the key is configured.

    Thanks for your help,
    Davide


Log in to reply