[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1216
  • Last Modified:

journal file not found under var/cache/bind for ddns on ubuntu server

Dear Experts:

configured ddns on ubuntu server, bind and dhcp is also working but the journal file did not get created under the /var/cache/bind.

Please help what would have gone wrong and how do fix this.

Thanks in advance.
0
D_wathi
Asked:
D_wathi
  • 19
  • 17
1 Solution
 
D_wathiAuthor Commented:
Please also find the blow log from /var/log/syslog
Oct  3 19:27:31 lampsrv dhcpd: DHCPACK on 192.168.1.228 to 70:71:bc:71:6b:76 (Harsha) via eth0
Oct  3 19:27:50 lampsrv dhcpd: Unable to add forward map from ushankar.dyn.shriramdb.com to 192.168.1.239: timed out
Oct  3 19:27:50 lampsrv dhcpd: DHCPREQUEST for 192.168.1.239 from 00:13:46:8d:d9:9b (ushankar) via eth0
Oct  3 19:27:50 lampsrv dhcpd: DHCPACK on 192.168.1.239 to 00:13:46:8d:d9:9b (ushankar) via eth0
Oct  3 19:28:07 lampsrv dhcpd: Unable to add forward map from S-Manjula.dyn.shriramdb.com to 192.168.1.221: timed out
Oct  3 19:28:07 lampsrv dhcpd: DHCPREQUEST for 192.168.1.221 from 70:71:bc:71:70:88 (S-Manjula) via eth0
Oct  3 19:28:07 lampsrv dhcpd: DHCPACK on 192.168.1.221 to 70:71:bc:71:70:88 (S-Manjula) via eth0
^C

--------------------------
Please help to resolve this.
0
 
D_wathiAuthor Commented:
Also added the jounal file line in the /etc/bind/named.conf.local,

For the reference posted config files:
---------------------------------/etc/bind/named.conf.local--------------------------------include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost;} keys { "rndc-key";};
};

zone "shriramdb.com" {
        type master;
        file "/var/cache/bind/db.shriramdb.com";
        };
zone "1.168.192.in-addr.arpa" {
        type master;
        file "/var/cache/bind/db.1.168.192.in-addr.arpa";
        };
zone "0.0.127.in-addr.arpa" {
        type master;
        file "/var/cache/bind/db.0.0.127.in-addr.arpa";
};

zone "dyn.shriramdb.com" {
        type master;
        file "/var/cache/bind/db.dyn.shriramdb.com";
        allow-update { key "rndc-key"; };
        journal "/var/cache/bind/db.dyn.shriramdb.com.jnl";
        };
zone "10.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/var/cache/bind/dba.1.168.192.in-addr.arpa";
        allow-update { key "rndc-key"; };
        journal "/var/cache/bind/dba.1.168.192.in-addr.arpa.jnl";
};
-----------------------------------------------------------------------------------------------------------------------------
dhcp config:
-------------------------/etc/dhcp3/dhcpd.conf-----------------------------------------------------------
ddns-update-style interim;
include "/etc/bind/rndc.key";

zone dyn.shriramdb.com. {
primary 127.0.0.1;
key "rndc-key";
}

ddns-domainname "dyn.shriramdb.com";

# option definitions common to all supported networks...
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
option domain-name "lampsrv.shriramdb.com lampsrv.dyn.shriramdb.com";
option domain-name-servers 192.168.1.244;
option routers 192.168.1.244;
option broadcast-address 192.168.1.255;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 192.168.1.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

subnet 192.168.1.0  netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.244;

zone 10.168.192.in-addr.arpa. {
primary 192.168.1.244;
key "rndc-key";
}
-----------------------------------------------------------------------------------------------------

zone dyn.shriramdb.com. {
primary 192.168.1.244;
key "rndc-key";
}
}
-------------------------------------------------------------------
posted two dynamic zone files which is under /var/cache/bind
------------------------

cat db.dyn.shriramdb.com
;
; BIND data file for mydomain.com
;
$ORIGIN .
$TTL 604800

dyn.shriramdb.com       IN     SOA   lampsrv.shriramdb.com. indar.shriramproperties.com. (
                         2011051705         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

@               IN      NS      lampsrv.
                IN      A       192.168.1.244
$ORIGIN dyn.shriramdb.com.
------------------------------------------------------------------------------------------------------------------
cat dba.1.168.192.in-addr.arpa
------------------
$ORIGIN .
$TTL 604800
10.168.192.in-addr.arpa               IN      SOA     lampsrv.shriramdb.com. indar.shriramproperties.com. (
                               2011051705    ; Serial
                               8H      ; Refresh
                               2H      ; Retry
                               4W      ; Expire
                               1D)     ; Minimum TTL
;
@       IN      NS      lampsrv.
$ORIGIN 10.168.192.in-addr.arpa.
------------------------------

please help to resove this.


0
 
PapertripCommented:
Along with addressing your original question, I'm providing my named.conf and zone file excerpts at the bottom.  Since I only have a few zones, I just keep everything in the same file as opposed to using an include or named.conf.local -- personal preference.  Some of the options you have are incorrect and some are unnecessary, I'll point those out.

First to answer your question.  In dhcpd.conf you have:
include "/etc/bind/rndc.key";

Open in new window

So first off you should not be using rndc.key for anything other than the control statement in named.conf.  Secondly by default dhcpd won't be able to read rndc.key.  Create a separate key for dynamic updates.
[root@broken ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns-key
Kddns-key.+157+64404
[root@broken ~]# cat Kddns-key.+157+64404.private |grep Key
Key: Ch9gAjU9VpZbcIoEhUuVQg==

Open in new window

Copy the file ending in .key to your dhcp server and make sure it is readable by dhcpd.  Then add the key statement into named.conf, or create a file with the following contents and use an include, up to you.
key "ddns-key" {
   algorithm hmac-md5;
   secret "Ch9gAjU9VpZbcIoEhUuVQg==";
}; 

Open in new window

Then change your allow-updates and key statement in named.conf and dhcpd.conf to reflect the new key.  That should fix the original problem.  If you also want to use nsupdate locally on those zones that are strictly for DDNS, then add localhost to allow-updates.

____________________

Going to point out a few things in your config that I think you should consider changing.

zone "shriramdb.com" {
        type master;
        file "/var/cache/bind/db.shriramdb.com";
        };

Open in new window

Add update-policy local to make your non-DDNS zones dynamic as explained in a previous question of yours.
file "/var/cache/bind/db.shriramdb.com";

Open in new window

The location of your primary zones shouldn't be in /var/cache.  More appropriate locations are /var/bind or /var/named, and even then I would go further and do /var/bind/dynamic/shriramdb.com/shriramdb.com.  Having the zone name, zone file, and parent directory all named the same thing has several advantages -- I'm not going to go into detail about all of them right now, so just trust me on that - I haven't steered you wrong yet.  How you have it now will work, but there are better ways.
journal "/var/cache/bind/db.dyn.shriramdb.com.jnl";

Open in new window

Unnecessary to define, remove it and let the defaults take care of it.
@               IN      NS      lampsrv.

Open in new window

This is incorrect.  Change the record to lampsrv.shriramdb.com.

______________________

This is a clean and secure config, I recommend following the format.  Some of it may seem excessive, but it's built to scale -- you don't want to have to restructure where your zone files are later on when you may have hundreds.  Even if this is a home server with a few zones, these are good practices, and especially if you will be managing DNS for a company.  Some options here will get you primed for DNSSEC, but won't do any actual changes, just preparations.  I recommend signing your zones as I mentioned in a previous question of yours.

options {
        listen-on port 53 { 127.0.0.1; int.ip.addr; ext.ip.addr; };
        directory       "/var/named";
        dump-file       "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";
        version "3.2.0";
        allow-query     { any; };
        allow-query-cache { localhost; localnets; };
        recursion yes;
        allow-recursion { localhost; localnets; };
        allow-transfer { none; };

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to root key and ISC DLV key */
        bindkeys-file "/etc/bind.keys";
};
key "rndc-key" {
        algorithm hmac-md5;
        secret "SjYojb9ECP+JWg==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        channel main_log {
                file "logs/main.log" versions 3 size 50m;
                severity dynamic;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        channel query_log {
                file "logs/query.log" versions 3 size 50m;
                severity dynamic;
                print-time yes;
        };
        channel xfer_log {
                file "logs/xfer.log" versions 3 size 50m;
                severity dynamic;
                print-time yes;
        };
        category default{
        main_log;
        };
        category general{
        main_log;
        };
        category dnssec{
        main_log;
        };
        category queries{
        query_log;
        };
        category xfer-in{
        xfer_log;
        };
        category xfer-out{
        xfer_log;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "domain.com" IN {
        type master;
        file "dynamic/domain.com/domain.com";
        update-policy local;
        allow-transfer { ip.of.slave; };
        auto-dnssec maintain;
        key-directory "dynamic/domain.com";
};

Open in new window

Top few lines of a zone file -- the big differences here between mine and your files are the $TTL value and the negative cache (minimum) value in the SOA record.
$ORIGIN .
$TTL 28800      ; 8 hours
domain.com          IN SOA  ns1.domain.com. hostmaster.domain.com. (
                                19         ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                2419200    ; expire (4 weeks)
                                600        ; minimum (10 minutes)
                                )

Open in new window

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
D_wathiAuthor Commented:
Sir, Thank you very much for reply.
when exectute the below command only for the first command nothing happens nor key is generated
 dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns-keyKddns-key.+157+64404
also tried
 dnssec-keygen -a HMAC-MD5 -b 128 -n lampsrv.shriramdb.com ddns-keyKddns-key.+157+64404
and
 dnssec-keygen -a HMAC-MD5 -b 128 -n HOST lampsrv.shriramdb.com ddns-keyKddns-
key.+157+64404

Pleas help







0
 
PapertripCommented:
Just do
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns-key

Open in new window


If that doesn't work, make sure dnssec-keygen is in your path
which dnssec-keygen

Open in new window

0
 
D_wathiAuthor Commented:
Sir, thanks for the reply, when execute sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns-key no response.

 which dnssec-keygen
/usr/sbin/dnssec-keygen
dnssec-keygen is in the path  /usr/sbin/dnssec-keygen
please help.




0
 
PapertripCommented:
This might be an entropy issue -- let the command run for a few minutes.  Is this a virtual machine by any chance?

http://freshmeat.net/projects/haveged is a great entropy builder, is easy to install, and fits right in place without much effort.
0
 
D_wathiAuthor Commented:
Yes sir this is a Virtual machine and ubuntu 10.4 server.
installed UBUNTU server on ESXi host.

0
 
PapertripCommented:
OK so VM's have an inherent problem with generating entropy.  In that case I highly suggest installing haveged.  You can try to find the package through Synaptic, but if it's not there then you will need to compile it from source.  I can help with that part if you really need it.

BTW the entropy problem with VM's is not only a problem for dnssec-keygen, it's a problem for anything that uses /dev/random or /dev/urandom, such as generating keys using openssl.
0
 
PapertripCommented:
In my config I showed you the following line:
  /* Path to root key and ISC DLV key */
        bindkeys-file "/etc/bind.keys";

Open in new window


the /etc/bind.keys needs to be downloaded to your DNS master.
wget http://ftp.isc.org/isc/bind9/keys/9.7/bind.keys.v9_7
mv bind.keys.v9_7 /etc/bind.keys
chgrp named /etc/bind.keys
chmod 640 /etc/bind.keys

Open in new window

0
 
D_wathiAuthor Commented:
Sir, very much interesting config, other than you no body can help me in this, can you please, so far i have only configured the name server for the local resolve but this ddns concept is new for me and as you know i do not know how to configure this.

As of now nameserver is working for the local resolving , static dns and below posted the forward and reverse zones and name.conf.local
forward zone:

 cat db.shriramdb.com
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     lampsrv.shriramdb.com. root.shriramdb.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      lampsrv.shriramdb.com.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1
lampsrv IN      A       192.168.1.244
linwin  IN      A       192.168.1.249
-----------------------------------------------------end------------------------------------------------------
------------------------reverse  zone-------
cat db.192
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     lampsrv.shriramdb.com. root.shriramdb.comt. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      lampsrv.
244     IN      PTR     lampsrv.shriramdb.com.
249     IN      PTR     linwin.shriramdb.com.
;1.0.0  IN      PTR     localhost.

----------------------end-----------------------------------------------------------------
--------------------named.conf.local------------


/ Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "shriramdb.com" {
        type master;
        file "/etc/bind/db.shriramdb.com";
};
zone "1.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/etc/bind/db.192";
------------------------------------------end----------------------------------------------------------------------

Sir, my request is can you please help me in how the two dynamic zones should be as above i have satic forward and reverse and please help me in creating the two dynamic zones.




0
 
PapertripCommented:
Yes I will reply in detail in the morning, it's pretty late here.

One thing that jumped out at me is
        file "/etc/bind/db.192";

Open in new window

make that
/etc/bind/1.168.192.in-addr.arpa

Open in new window

and rename the file to match of course.

Install haveged -- this will help with more than just dnssec-keygen as I mentioned.  If you are unfamiliar with compiling packages from source, just google it, it's very easy.  ./configure && make && make install... you'll see... after that you should have a normal init script for it at /etc/rc.d/init.d/haveged


Once we get everything working as you would like, we will discuss naming conventions of directories and zone files, as I mentinoed in a previous reply.  I will tell you all the reason why you want to set it up like I described :)

Have a good day!
0
 
D_wathiAuthor Commented:
Sir, Thank you so much, also after leaving for sometime keys got generated hence did not install the haveged.

Kddns-keykddns-key.%2B157%2B64404.+157+51849.key  
Kddns-keykddns-key.%2B157%2B64404.+157+51849.private

sudo cat Kddns-keykddns-key.%2B157%2B64404.+157+51849.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: ZjbIlnu+K6I/Gr6x/6vxRg==
Bits: AAA=
Created: 20111004115415
Publish: 20111004115415
Activate: 20111004115415


Also changed from file "/etc/bind/db.192";
to
file "/etc/bind/1.168.192.in-addr.arpa

now the bind is also working, request you to please help me from here like
1. what should be the dynamic zones i mean the contents
2. what all the others steps to be taken care .

AS of now with you support i could understand the dynamic zones should be kept under /var/cache/bind/dynamic, please help me what should contain in this dynamic zones other steps.

Please help
0
 
PapertripCommented:
Hey D,

I will check this all out tonight and get back to you.
0
 
D_wathiAuthor Commented:
Sir, I have configured ddns and all the configurations of dhcp, bind and zones are attached for your reference , bind is working as resolve is happening for the static zones but dyanamic is not working also journal files did not get generated, iam sure iam have done misconfiguration some where but iam not able to trace and resolve , attached the config file for your reference please help me to resolve this.
as per the attached config iam getting below mentioned log  from tail -f /var/log/syslog
Oct  5 17:16:35 lampsrv dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Oct  5 17:16:35 lampsrv dhcpd: Wrote 3 leases to leases file.
Oct  5 17:17:01 lampsrv CRON[17267]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Oct  5 17:17:25 lampsrv dhcpd: DHCPREQUEST for 192.168.1.213 from 00:0f:ea:42:b4:80 via eth0: unknown lease 192.168.1.213.
Oct  5 17:17:55 lampsrv dhcpd: DHCPREQUEST for 192.168.1.210 from 00:19:d1:1e:dd:83 via eth0: unknown lease 192.168.1.210.
Oct  5 17:19:48 lampsrv dhcpd: DHCPREQUEST for 192.168.1.202 from 00:07:e9:2a:c7:a0 via eth0: unknown lease 192.168.1.202.
Oct  5 17:20:38 lampsrv named[17221]: client 192.168.1.244#59343: signer "ddns-key" denied
Oct  5 17:20:38 lampsrv named[17221]: client 192.168.1.244#59343: update 'dyn.shriramdb.com/IN' denied
Oct  5 17:20:38 lampsrv dhcpd: Unable to add forward map from pavitra.dyn.shriramdb.com to 192.168.1.78: timed out
Oct  5 17:20:38 lampsrv dhcpd: DHCPREQUEST for 192.168.1.78 from 00:0f:ea:42:b4:1f (pavitra) via eth0
Oct  5 17:20:38 lampsrv dhcpd: DHCPACK on 192.168.1.78 to 00:0f:ea:42:b4:1f (pavitra) via eth0
Oct  5 17:21:19 lampsrv dhcpd: DHCPREQUEST for 192.168.1.204 from 00:0d:87:8f:4f:fb via eth0: unknown lease 192.168.1.204.


ddns-config.txt
0
 
PapertripCommented:
Hey D,

Sorry!  I'm currently training some of my group members from Chennai -- when you wake up, they wake up ;)  Once I am done with them I will answer your questions... we are almost done fixing your problems!
0
 
D_wathiAuthor Commented:
Sir, Please ignore the previous ddns config attachment and request you to please do consider this one.
Please help me to resolve this. Thanks in advance.
ddns-config.txt
0
 
D_wathiAuthor Commented:
Sir, Thank you very much. Iam really happy for this valuable support. please have a look on the attached ddns configuration at your convenient and help me to resolve this. Thanks once again.
0
 
PapertripCommented:
OK here is the first thing to address.  You have 2 zone config blocks for dyn.shriramdb.com.  -- remove the 127.0.0.1 one.
---------------------sudo vim /etc/dhcp3/dhcpd.conf------------------------

ddns-update-style interim;
include "/etc/bind/ddns.key";

zone dyn.shriramdb.com. {
primary 127.0.0.1;
key "ddns-key";
}

<snip>

zone dyn.shriramdb.com. {
primary 192.168.1.244;
key "ddns-key";
 }
}

Open in new window



Next problem is that you are using ddns-key in dhcpd.conf, but your allow-update in named.conf says rndc-key.  Change named.conf to use ddns-key for those zones.
zone "dyn.shriramdb.com" {
        type master;
file "/var/cache/bind/dynamic/db.dyn.shriramdb.com";
allow-update { key "rndc-key"; };
};

zone "2.168.192.in-addr.arpa" {
type master;
notify no;
file "/var/cache/bind/dynamic/db.192.168.2";
allow-update { key "rndc-key"; };
};

Open in new window

0
 
PapertripCommented:
There are still a few minor changes I will suggest for named.conf, but we'll just focus on getting everything working first.  After that we can make it better :)
0
 
D_wathiAuthor Commented:
Sir, did some changes to the configuratio, please find the attached modified configuration, the changes done are from rndc to ddns that is by changing the entries in the named.conf.local to ddns-key. after this restartede bind and dhcp now one journal file got created
$ pwd
/var/cache/bind/dynamic
indar@lampsrv:/var/cache/bind/dynamic$ ls -la
total 20
drwxrwsr-x 2 bind dhcpd 4096 2011-10-05 18:41 .
drwxrwsr-x 3 bind dhcpd 4096 2011-10-05 18:51 ..
-rwxrwsr-x 1 bind dhcpd  346 2011-10-05 18:05 db.192.168.2
-rw-r--r-- 1 bind dhcpd  444 2011-10-05 18:28 db.dyn.shriramdb.com
-rw-r--r-- 1 bind dhcpd  837 2011-10-05 17:55 db.dyn.shriramdb.com.jnl
indar@lampsrv:/var/cache/bind/dynamic$ cat db.dyn.shriramdb.com
$ORIGIN .
$TTL 604800     ; 1 week
dyn.shriramdb.com       IN SOA  lampsrv.shriramdb.com. root.shriramdb.com. (
                                3          ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                604800     ; minimum (1 week)
                                )
                        NS      lampsrv.shriramdb.com.
                        A       127.0.0.1
                        A       192.168.1.244
$ORIGIN dyn.shriramdb.com.
$TTL 300        ; 5 minutes
pavitra                 A       192.168.1.78
                        TXT     "31b9a2ac8eebddb90fc236ebe2439756aa"
-------------------------------------------------------------
but still dynamic reverse zone jounal is not generated, please find the below log.

-------------------tail -f /var/log/syslog--------------------------------------------
Oct  5 19:24:25 lampsrv named[18688]: client 192.168.1.244#60160: update '1.168.192.in-addr.arpa/IN' denied
Oct  5 19:24:25 lampsrv dhcpd: unable to add reverse map from 82.1.168.192.in-addr.arpa. to shriram2.splserver.com: timed out
Oct  5 19:24:25 lampsrv dhcpd: DHCPREQUEST for 192.168.1.82 from e0:69:95:69:3a:55 (shriram2) via eth0
Oct  5 19:24:25 lampsrv dhcpd: DHCPACK on 192.168.1.82 to e0:69:95:69:3a:55 (shriram2) via eth0
Oct  5 19:25:08 lampsrv dhcpd: DHCPREQUEST for 192.168.1.200 from 00:13:46:8d:d9:9b via eth0: unknown lease 192.168.1.200.
Oct  5 19:25:38 lampsrv dhcpd: DHCPREQUEST for 192.168.1.78 from 00:0f:ea:42:b4:1f (pavitra) via eth0
Oct  5 19:25:38 lampsrv dhcpd: DHCPACK on 192.168.1.78 to 00:0f:ea:42:b4:1f (pavitra) via eth0
Oct  5 19:27:50 lampsrv dhcpd: DHCPREQUEST for 192.168.1.207 from 00:00:b4:52:35:dd via eth0: unknown lease 192.168.1.207.
Oct  5 19:27:59 lampsrv dhcpd: DHCPREQUEST for 192.168.1.215 from 00:08:a1:8a:2e:bd via eth0: unknown lease 192.168.1.215.
Oct  5 19:29:25 lampsrv named[18688]: client 192.168.1.244#60437: update '1.168.192.in-addr.arpa/IN' denied
Oct  5 19:29:25 lampsrv dhcpd: unable to add reverse map from 82.1.168.192.in-addr.arpa. to shriram2.splserver.com: timed out
---------------------------------------------------------------------------------------
Sir, please have look on the attached modified configuration at your convenince and request you to please help me to fix this so that ddns works perfectly. Thanks in advance.
.

 
ddns-config.txt
0
 
PapertripCommented:
indar@lampsrv:/var/cache/bind/dynamic$ cat db.dyn.shriramdb.com
To see the contents of the journal file use
named-journalprint db.dyn.shriramdb.com.jnl

Open in new window

To commit the journal to the zone file, do
rndc freeze db.dyn.shriramdb.com
rndc thaw db.dyn.shriramdb.com

Open in new window

Oct  5 19:29:25 lampsrv dhcpd: unable to add reverse map from 82.1.168.192.in-addr.arpa. to shriram2.splserver.com: timed out
You don't have 1.68.192.in-addr.arpa setup as a zone in dhcpd.conf, and I believe you want dyn.shriramdb.com to have 192.168.2.x addresses, so change this
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.244;

Open in new window

to
subnet 192.168.2.0 netmask 255.255.255.0 {
  range 192.168.2.10 192.168.1.244;

Open in new window


And you would need to change other DHCP options
option routers 192.168.1.244;
option broadcast-address 192.168.1.255;

Open in new window

I'm assuming you already have a router configured at 192.168.2.x, so change those networks to be 192.168.2
0
 
PapertripCommented:
If, however, you do want DHCP addresses to be 192.168.1.x, then you need to create a dynamic zone for that in named.conf just like 192.168.2 is.

I do not recommend having DHCP + DDNS updating the same zone file that has your non-DHCP DNS records.
0
 
D_wathiAuthor Commented:
Sir, extremely sorry to distrub you ,
You don't have 1.68.192.in-addr.arpa setup as a zone in dhcpd.conf, and I believe you want dyn.shriramdb.com to have 192.168.2.x addresses,

Iam not looking at 192.168.2.x address.

Sir, request you to please help me how to make dynamic reverse zone journal to get generated .
0
 
PapertripCommented:
Oct  5 19:29:25 lampsrv named[18688]: client 192.168.1.244#60437: update '1.168.192.in-addr.arpa/IN' denied
Oct  5 19:29:25 lampsrv dhcpd: unable to add reverse map from 82.1.168.192.in-addr.arpa. to shriram2.splserver.com: timed out

Open in new window

/etc/dhcp3/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.244;

zone 2.168.192.in-addr.arpa. {
primary 192.168.1.244;
key "ddns-key";
}

Open in new window

/etc/bind/named.conf.local

zone "1.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/var/cache/bind/1.168.192.in-addr.arpa";
};
zone "2.168.192.in-addr.arpa" {
type master;
notify no;
file "/var/cache/bind/dynamic/db.192.168.2";
allow-update { key "ddns-key"; };
};

Open in new window


Your dhcpd.conf has subnet and range options of 192.168.1.x, and your clients are getting those IP's like they should be.
Your dhcp log says dhcpd is trying to update 1.168.192.in-addr.arpa, which is correct according to your config.
Your dhcpd.conf and named.conf is configured to dynamically update 2.168.192.in-addr.arpa zone... not 1.168.192.in-addr.arpa

0
 
D_wathiAuthor Commented:
Sir, dhcp and ddns updating the same zone i would like to avoid.
0
 
D_wathiAuthor Commented:
Sir, i had wrongly entered the dyanamic zone in the named.conf.local now corrected like the below:
-----------named.conf.local---------------------
named.conf.local

zone "2.168.192.in-addr.arpaa" {
        type master;
        notify no;
        file "/var/cache/bind/dynamic/db.192.168.2";
        allow-update { key "ddns-key"; };
};
-----------------------------------------End of named .conf.local------------------------------------------------------------
also pointed to the path for the file in the named.conf.local to the /var/cache/bind/dynamic/db.192.168.2

 pwd
/var/cache/bind/dynamic
indar@lampsrv:/var/cache/bind/dynamic$ cat db.192.168.2
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     lampsrv.shriramdb.com. root.shriramdb.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
        IN      NS      lampsrv.shriramdb.com.
244     IN      PTR     lampsrv.shriramdb.com.
;1.0.0  IN      PTR     localhost.
-----------------------end of  db.192.168.2----------------------------

---------------------------dhcpd.conf----------------------------------------------------

zone 2.168.192.in-addr.arpa. {
primary 192.168.1.244;
key "ddns-key";
}
zone dyn.shriramdb.com. {
primary 192.168.1.244;
key "ddns-key";
 }
-------------------------------------------------------------------------------------------------------------------
but still unable to create the reverse ddns journal file. iam getting messages of unable to add reverse mapping.
please help me to resolve.


0
 
D_wathiAuthor Commented:
Hi sir , please help me to resolve this, after continously working identified one problem had wrongly entered one additional character while declaring the zone in the named.conf.local like the below
zone "2.168.192.in-addr.arpaa"
the same corrected to  "2.168.192.in-addr.arpa"

2. also renamed  /var/cache/bind/dynamic/db.192.168.2  to  /var/cache/bind/dynamic/2.168.192.in-addr.arpa.

3. changed the file name declared in the zone in the named.conf.local like the below
zone "2.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/var/cache/bind/dynamic/db.2.168.192.in-addr.arpa";
        allow-update { key "ddns-key"; };
};

4. now bind and dhcp are working and only one journal file has got generated that is db.dyn.shriramdb.com.jnl.

Have few doubts please please tell me
1. IS one more journal file of the dynamic reverse zone is missing i mean not got generated , please suggest in this if not created then please tell me how to resolve this.

Sir, Iam very much curious to fix this please help me.


0
 
PapertripCommented:
At this point, from what I can see, it should be ok.

If it's working properly for db.dyn.shriramdb.com, and you have 2.168.192.in-addr.arpa setup the same way, it should be working.

Need logs of what happens when the PTR record should be added from both named and dhcpd
0
 
D_wathiAuthor Commented:
Sir, Thank you very much, i was little bit afraid thinking that you are occupied i might not get reply, thank god you are back to help me. will post the logs while monitoring.

Sir, please share me your mail account if you do not mind please i would like to send a greetings. PLEASE SIR. also you were mentioning about the training please share so that i can also participate if it is in india if not online. PLEASE HELP.
0
 
PapertripCommented:
also you were mentioning about the training please share so that i can also participate if it is in india if not online.
If you worked for my company then you could participate ;)

I'll be around for a couple hours if you want to work on this.
0
 
PapertripCommented:
2. also renamed  /var/cache/bind/dynamic/db.192.168.2  to  /var/cache/bind/dynamic/2.168.192.in-addr.arpa.

3. changed the file name declared in the zone in the named.conf.local like the below
zone "2.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "/var/cache/bind/dynamic/db.2.168.192.in-addr.arpa";
        allow-update { key "ddns-key"; };
};

You renamed the file to 2.168.192.in-addr.arpa but left the file statement in the zone block as db.2.168.192.in-addr.arpa ?

Attach your current dhcpd and named configs and 'ls -l' in /var/cache/bind/dynamic/
0
 
D_wathiAuthor Commented:
Sir, Thank you very much for the reply, i did rename the file to db.2.168.192.in.arpa.

Finally before closing request you to please have a  look on the below posted dhcpd.conf  in that
i have doubt on declaration of : option domain-name "dyn.shriramdb.com 2.168.192.in-addr.arpa";

Please suggest me is correct.
--------------------------------------------------------
ddns-update-style interim;
include "/etc/bind/ddns.key";
#include "/etc/bind/rndc.key";

zone dyn.shriramdb.com. {
primary 192.168.1.244;
key "ddns-key";
}

zone 2.168.192.in-addr.arpa. {
primary 192.168.1.244;
key "ddns-key";
}

# option definitions common to all supported networks...
option domain-name "dyn.shriramdb.com 2.168.192.in-addr.arpa";
option domain-name-servers 192.168.1.244;
option routers 192.168.1.244;
option broadcast-address 192.168.1.255;
option ntp-servers 192.168.1.244;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.50;
}
--------------------------------------------------------------
Thanks for all the great support
0
 
PapertripCommented:
option domain-name "dyn.shriramdb.com 2.168.192.in-addr.arpa";
That is incorrect.  That option adds DNS suffixes on windows or search options in /etc/resolv.conf.  In this case it should be "shriramdb.com dyn.shriramdb.com"

option domain-name text;

    This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. 

Open in new window

0
 
PapertripCommented:
I answered a LOT of questions in this thread.  You really should close each question once the answer has been given, and open new questions when you have new questions.  A big incentive for me to answer questions is getting points.  If I answer 20 questions in a single thread, it's not fair for me.
0
 
PapertripCommented:
I recommend asking new questions to have experts review your named and dhcpd configs, since they could use some improvement, along with asking about DNSSEC signing your zones.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 19
  • 17
Tackle projects and never again get stuck behind a technical roadblock.
Join Now