Requesting Update-Policy Statements Sanity Check, Please
Hi All,
I'm pretty new to configuring Bind and so it would be great if
someone(s) could just check my code re: the update-policy zone
command(s) below - thanks in advance.
For the first zone (a regular internal forward-lookup zone) I'd like to
be able to update (from Kea via ddns) the zone when a new host is
assigned/etc a DHCP lease:
update-policy {grant update-key name internal-forward-lookup.local A ;};
For the second zone (a regular internal reverse-lookup zone for the
192.168.1.0/24 network) I'd like to be able to update (from Kea via
ddns) the zone when a new host is assigned a DHCP lease(obviously I've
got an equivalent IPv6 reverse-lookup zone :-) ):
update-policy {grant update-key name 1.168.192.IN-ADDR.ARPA PTR;};
For the third zone (a regular external forward-lookup zone) I'd like to
be able to update (via acme.sh/LetsEncrypt) the
_acme-challenge.example.com TXT record when a Certificate is
requested/renewed:
update-policy {grant update-key name _acme-challenge.example.com TXT;};
I've got the update-key configured and available on all the necessary
boxes, etc, and dns (for fixed IP addresses) and dhcp are working - I
just need to get these update-policy statements correct.
Any help is greatly appreciated - and again, thanks in advance
Cheers
Dulux-Oz
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
You would probably need to attach your entire named.conf file (with
sensitive bits (keys and the like) redacted and perhaps subnets
obscured to examples such as 192.0.2.0/24, for example) before anyone
would be able to help you.
That being said, your update policy statements don't look correct to
me. Have you tried to load them with BIND? Do they pass syntax check?
The reason they don't look right is that they seem to follow this
format correctly:
# (grant | deny ) identity ruletype name types
but include the word "name" which I think is meant to be replaced
with your actual domain name (ie: I don't think the word "name" should
be in the policy).
I have not previously used update-policy but I'd think it should be like this:
update-policy {grant A ;};
from reading:
https://bind9.readthedocs.io/en/v9_18_11/reference.html#namedconf-statement-update-policy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
You would probably need to attach your entire named.conf file (with sensitive bits (keys and the like) redacted named-checkconf -px is your friend: prints out the named.conf and included files in canonical form if no errors were detected and obscures shared secrets by replacing them with strings of question marks (?) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
> On 3 Feb 2023, at 21:47, Darren Ankney wrote:
>
> You would probably need to attach your entire named.conf file (with
> sensitive bits (keys and the like) redacted and perhaps subnets
> obscured to examples such as 192.0.2.0/24, for example) before anyone
> would be able to help you.
>
> That being said, your update policy statements don't look correct to
> me. Have you tried to load them with BIND? Do they pass syntax check?
> The reason they don't look right is that they seem to follow this
> format correctly:
>
> # (grant | deny ) identity ruletype name types
>
> but include the word "name" which I think is meant to be replaced
> with your actual domain name (ie: I don't think the word "name" should
> be in the policy).
No, “name” there is the rule type.
> I have not previously used update-policy but I'd think it should be like this:
>
> update-policy {grant A ;};
This leaves out rule type.
>
> from reading:
> https://bind9.readthedocs.io/en/v9_18_11/reference.html#namedconf-statement-update-policy
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
You need to replace the rule type with something more appropriate for the type
of update being preformed. For the updates made by the DHCP server I would use
“zonesub”. “name” is fine for LetsEncrypt.
update-policy {grant update-key zonesub A ;};
update-policy {grant update-key zonesub PTR;};
``zonesub``
This rule is similar to subdomain, except that it matches when the name
being updated is a subdomain of the zone in which the :any:`update-policy`
statement appears. This obviates the need to type the zone name twice, and
enables the use of a standard :any:`update-policy` statement in multiple zones
without modification. When this rule is used, the ``name`` field is omitted.
> On 3 Feb 2023, at 18:04, duluxoz wrote:
>
> Hi All,
>
> I'm pretty new to configuring Bind and so it would be great if someone(s)
> could just check my code re: the update-policy zone command(s) below - thanks
> in advance.
>
> For the first zone (a regular internal forward-lookup zone) I'd like to be
> able to update (from Kea via ddns) the zone when a new host is assigned/etc a
> DHCP lease:
>
> update-policy {grant update-key name internal-forward-lookup.local A ;};
>
> For the second zone (a regular internal reverse-lookup zone for the
> 192.168.1.0/24 network) I'd like to be able to update (from Kea via ddns) the
> zone when a new host is assigned a DHCP lease (obviously I've got an
> equivalent IPv6 reverse-lookup zone :-) ):
>
> update-policy {grant update-key name 1.168.192.IN-ADDR.ARPA PTR;};
>
> For the third zone (a regular external forward-lookup zone) I'd like to be
> able to update (via acme.sh/LetsEncrypt) the _acme-challenge.example.com TXT
> record when a Certificate is requested/renewed:
>
> update-policy {grant update-key name _acme-challenge.example.com TXT;};
>
> I've got the update-key configured and available on all the necessary boxes,
> etc, and dns (for fixed IP addresses) and dhcp are working - I just need to
> get these update-policy statements correct.
>
>
> Any help is greatly appreciated - and again, thanks in advance
>
> Cheers
>
> Dulux-Oz
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Requesting Update-Policy Statements Sanity Check, Please
Thanks Mark (& Darren & Jan-Piet),
So I made those changes you suggested (Mark), but I'm still having
issues (ie DHCP leases are not being added to the DNS zones), so I've
included my Bind9 config:
~~~
acl "bogusnets" {
!"internal_hosts";
0.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
192.168.0.0/16;
224.0.0.0/3;
};
acl "internal_hosts" {
192.168.1.0/24;
192.168.2.0/24;
};
acl "secondary_external_servers" {
192.168.1.1/32;
192.168.1.2/32;
};
acl "secondary_internal_servers" {
192.168.2.1/32;
192.168.2.2/32;
};
acl "servers_ddns" {
"localhost";
192.168.2.3/32;
};
acl "servers_rndc" {
"localhost";
192.168.2.3/32;
};
acl "stats_hosts" {
192.168.2.0/24;
};
controls {
inet 0.0.0.0 port 953 allow {
"servers_rndc";
} keys {
"rndc.key";
};
};
logging {
channel "auth_servers_log" {
file "/var/log/named/auth_servers.log" versions 3 size 512000
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "/var/log/named/client_security.log" versions 3 size
512000 suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_log" {
file "/var/log/named/default.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug_log" {
file "/var/log/named/default_debug.log" versions 3 size 512000
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "/var/log/named/ddns.log" versions 3 size 512000 suffix
timestamp;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "/var/log/named/dnssec.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "/var/log/named/queries.log" versions 3 size 512000 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_errors_log" {
file "/var/log/named/query_errors.log" versions 3 size 512000
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "/var/log/named/zone_transfers.log" versions 3 size 512000
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "client" {
"client_security_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
"ddns_log";
"default_debug";
};
category "xfer-in" {
"zone_transfers_log";
"default_debug";
};
category "xfer-out" {
"zone_transfers_log";
"default_debug";
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory "/var/named/dynamic";
memstatistics yes;
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
version "Not Currently Available";
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
recursion no;
allow-query {
"localhost";
};
allow-transfer {
"secondary_external_servers";
"secondary_internal_servers";
};
multi-master no;
zone-statistics yes;
};
primaries "servers_primaries" {
192.168.2.
Re: Requesting Update-Policy Statements Sanity Check, Please
Add DHCID to the list of record types permitted to be updated by the DHCP
server.
--
Mark Andrews
> On 4 Feb 2023, at 21:15, duluxoz wrote:
>
> Thanks Mark (& Darren & Jan-Piet),
>
> So I made those changes you suggested (Mark), but I'm still having issues (ie
> DHCP leases are not being added to the DNS zones), so I've included my Bind9
> config:
>
> ~~~
>
> acl "bogusnets" {
> !"internal_hosts";
> 0.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
> acl "internal_hosts" {
> 192.168.1.0/24;
> 192.168.2.0/24;
> };
> acl "secondary_external_servers" {
> 192.168.1.1/32;
> 192.168.1.2/32;
> };
> acl "secondary_internal_servers" {
> 192.168.2.1/32;
> 192.168.2.2/32;
> };
> acl "servers_ddns" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "servers_rndc" {
> "localhost";
> 192.168.2.3/32;
> };
> acl "stats_hosts" {
> 192.168.2.0/24;
> };
> controls {
> inet 0.0.0.0 port 953 allow {
> "servers_rndc";
> } keys {
> "rndc.key";
> };
> };
> logging {
> channel "auth_servers_log" {
> file "/var/log/named/auth_servers.log" versions 3 size 512000 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "client_security_log" {
> file "/var/log/named/client_security.log" versions 3 size 512000
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_log" {
> file "/var/log/named/default.log" versions 3 size 512000 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_debug_log" {
> file "/var/log/named/default_debug.log" versions 3 size 512000 suffix
> timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "ddns_log" {
> file "/var/log/named/ddns.log" versions 3 size 512000 suffix
> timestamp;
> severity debug 1;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnssec_log" {
> file "/var/log/named/dnssec.log" versions 3 size 512000 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "queries_log" {
> file "/var/log/named/queries.log" versions 3 size 512000 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "query_errors_log" {
> file "/var/log/named/query_errors.log" versions 3 size 512000 suffix
> timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "zone_transfers_log" {
> file "/var/log/named/zone_transfers.log" versions 3 size 512000
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category "client" {
> "client_security_log";
> "default_debug";
> };
> category "dnssec" {
> "dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
> "auth_servers_log";
> "default_debug";
> };
> category "edns-disabled" {
> "auth_servers_log";
> "default_debug";
> };
> category "lame-servers" {
> "auth_servers_log";
> "default_debug";
> };
> category "notify" {
> "zone_transfers_log";
> "default_debug";
> };
> category "resolver" {
> "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
> "default_debug";
> };
> category "update" {
> "ddns_log";
> "default_debug";
> };
> category "update-security" {
> "ddns_log";
> "default_debug";
> };
> category "xfer-in" {
> "zone_transfers_log";
> "default_debug";
> };
> category "xfer-out" {
> "zone_transfers_log";
> "default_debug";
> };
> };
> options {
> blackhole {
> "bogusnets";
> };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> flush-zones-on-shutdown yes;
> managed-keys-directory "/var/named/dynamic";
> memstatistics yes;
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> statistics-file "/var
Re: Requesting Update-Policy Statements Sanity Check, Please
Thanks Mark - that was the issue :-) I really, really appreciate the help Cheers Dulux-Oz On 04/02/2023 23:21, Mark Andrews wrote: Add DHCID to the list of record types permitted to be updated by the DHCP server. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
