Re: clean up an ddns zone
radius is only an AAA and transmit Auth OK/KO to VPN terminator and IP allow/deny rules to VPN terminator (ip filtering like iptable) So radius only Auth termination of VPN tunnel and transmit per user linked policy deny and allow rules (like iptable as said). I think VPN terminator can be configured to use an IP pool internal or on an external DHCP server like DHCP proxy if u know. You should check on VPN concentrator manuals. If not you could see a client like DDNS over internet that support ISC DHCP to D. update DNS zone starting from a daemon running on remote pc but this is only an idea to be scouted. From: bind-users on behalf of Matthew Pounsett Sent: Friday, March 23, 2018 8:00 PM To: Meike Stone Cc: bind-users@lists.isc.org Subject: Re: clean up an ddns zone On 23 March 2018 at 13:32, Meike Stone via bind-users mailto:bind-users@lists.isc.org>> wrote: Hello, at the moment, I use ISC dhcpd to register all client names in the DNS (Bind) via isc's ddns api. Every thing is working well. But now, some notebook clients should get company access via UMTS or VPN. In this case, a radius server is controlling the IP addresses, not the ISC dhcpd. What's the mechanism for getting the IP address to the client? Is there a RADIUS client on the client machine, or is your VPN using DHCP to get addresses to the client? If the latter, then it likely has a mechanism for sending the same DNS Update messages that ISC's dhcpd does (DNS Update messages are a part of the DNS standard, and the ability to send them to maintain DNS for dynamic addresses is almost ubiquitous among DHCP implementations). It's possible your RADIUS server also can do DNS Update messages, but I'm so far removed from the time when I ran RADIUS servers that I confess I can't recall whether that was a common option. Is there any possibility, maybe that the clients send their lease time and the Bind does delete the RR (like isc it would do), if the lease time is over and if no ddns refresh was made? I'm not aware of any way to automatically expire records in a dynamic zone. It's an ugly hack.. but if you could get your clients to also register a TXT record with a timestamp in it, you could have some sort of cron-based garbage collection script run to scan the zone for those TXT records, and delete all the records related to that name when the right amount of time has elapsed. That still has some obvious problems though, like what to do if a client doesn't update the TXT record if/when it renews its lease. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clean up an ddns zone
On 23 March 2018 at 13:32, Meike Stone via bind-users < bind-users@lists.isc.org> wrote: > Hello, > > at the moment, I use ISC dhcpd to register all client names in the DNS > (Bind) via isc's ddns api. Every thing is working well. > But now, some notebook clients should get company access via UMTS or > VPN. In this case, a radius server is controlling the IP addresses, > not the ISC dhcpd. > What's the mechanism for getting the IP address to the client? Is there a RADIUS client on the client machine, or is your VPN using DHCP to get addresses to the client? If the latter, then it likely has a mechanism for sending the same DNS Update messages that ISC's dhcpd does (DNS Update messages are a part of the DNS standard, and the ability to send them to maintain DNS for dynamic addresses is almost ubiquitous among DHCP implementations). It's possible your RADIUS server also can do DNS Update messages, but I'm so far removed from the time when I ran RADIUS servers that I confess I can't recall whether that was a common option. Is there any possibility, maybe that the clients send their lease time > and the Bind does delete the RR (like isc it would do), if the lease > time is over and if no ddns refresh was made? > I'm not aware of any way to automatically expire records in a dynamic zone. It's an ugly hack.. but if you could get your clients to also register a TXT record with a timestamp in it, you could have some sort of cron-based garbage collection script run to scan the zone for those TXT records, and delete all the records related to that name when the right amount of time has elapsed. That still has some obvious problems though, like what to do if a client doesn't update the TXT record if/when it renews its lease. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clean up an ddns zone
Hello, at the moment, I use ISC dhcpd to register all client names in the DNS (Bind) via isc's ddns api. Every thing is working well. But now, some notebook clients should get company access via UMTS or VPN. In this case, a radius server is controlling the IP addresses, not the ISC dhcpd. So no update in the zone is placed, if the client gets connected via UMTS or vpn. The Idea is, to configure the clients to register themself via GSS-TSIG in the Bind DNS zone, so in any situation, an update is made. But how does I get cleaned up the records of the clients in their zone if the lease time is over. Is there any possibility, maybe that the clients send their lease time and the Bind does delete the RR (like isc it would do), if the lease time is over and if no ddns refresh was made? (I tried to understand Microsofts scavenging process and got scared about that complexity.) Thanks Meike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
