Making DHCP interim still work when bind9 only accept signed requests
By mat on Sunday 6 September 2009, 17:34 - Permalink
Having workstations names updated in the DNS is quite cool and very usefull (the more you use it the more it becomes important to you ...).
The problem is that once you active DDNS update directly from Windows workstations like it's describe here or here it that it usually breaks DHCP interim updates (also known as the second way to make DDNS update works).
You might wonder, why bother to use DDNS update from the workstation if we can achieve it from the DHCP server ?
Well it's simply because sometimes you have resources which IP address is not defined by DHCP server (ie. fixed IP workstations or servers or most important: workstations connected through VPN). We can also wonder why use DHCP interim if DDNS from workstation work, well it's because not all the workstation are for the moment able to update their DHCP records (ie. Mac OsX, Linux, printers, ...).
So you sometimes you want to take the best of the both world, the good news is that it's possible and it's even not very complicated !
This small guide suppose that you have already DHCP interim that was working before you decided to activate signed DDNS (that are used by the Windows workstations), if not please check on this internet for guides like this one or this one
Why DHCP Interim has to be disactivated when signed DDNS is used ?
So most of the tutorial about DHCP DDNS use a configuration like this to authorize updates from the DHCP server:
allow-update { key dhcpupdate; };
But Bind9 do not accept both allow-update and update-policy
The solution
The solution is to migrate from allow-update to update-policy to do so you have to add something like that to the update-policy for your DNS zone: grant dhcp.example.org subdomain example.org A AAAA; so that the whole thing looks like:
update-policy {
grant dhcp.example.org subdomain example.org A AAAA;
grant EXAMPLE.ORG ms-self * A AAAA;
};
Once that done you have to search for the definition of the dhcp update key (here dhcpupdate in my example) and replace it to dhcp.example.org (where example.org is your DNS domain). Usually tutorials propose to create a separate file for storing the key or propose to add a key stanza in the named.conf. Anyhow you have to change it to have something like this:
key dhcp.example.org {
algorithm hmac-md5;
secret "YOURKEYGOESHERE";
};
The last step is to modify the dhcpd.conf to replace all the occurrence of old key name to the new one (ie dhcpupdate to dhcp.example.org). Last note: if your dhcp server is on a different server than the DNS server and that the key is stored in a separate file then you need to modify the name of the key in this file as well.
Once every thing is modified you have to restart dhcpd and bind9 and everything should work (you can verify as your mileage can vary ...)