Hi,
thank you for hints, indeed it was my mistake in DNS reverse zone
configuration
.
I try to summarize the problem, I have 2 subnet a /24 and a /22.
For the /24 I have no problem with reverse, I was in trouble with /22 so I
recreated 4 reverse files,
one for each C class in my /22 netmask, and a single forward file to define my
e4prod zone, new zones.config is:
[root@srv-install dynamic]# cat /etc/named/zones.conf
zone "e4srv" {
type master;
file "/var/named/dynamic/db.e4srv";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "2.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.2.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "e4prod" {
type master;
file "/var/named/dynamic/db.e4prod";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "4.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.4.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "5.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.5.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "6.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.6.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "7.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.7.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
[root@srv-install dynamic]#
With every single reverse defined as in my first email.
Now it works.
Thank you.
D.
Il giorno 09 dic 2016, alle ore 16:21, Erez Zarum
<erezza...@gmail.com<mailto:erezza...@gmail.com>> ha scritto:
Hey,
It looks like you it refuses to let you update, looking at your BIND (DNS)
configuration, you define the 172.16.4.0/22 network as 172.16.4.0/24 and you
try to add an address for 172.16.5.37, it's identical to having 172.16.4.0/24
only in your DHCP configuration and trying to add a static lease to 172.16.5.37.
Try this:
zone "4-7.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.4-7.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
I also believe using "22/0.4.16.172.in-addr.arpa" should work as well (depends
on your BIND version)
If you don't need any special requirements, "theforeman/dhcp" and
"theforeman/dns" should be safe to use.
Erez.
On Friday, December 9, 2016 at 2:23:58 PM UTC+2, Daniele Gregori (E4) wrote:
Hi Joop,
Thanks for your answer.
I suppose that I have a problem with the dns zone configuration because I’m
a dns newbie, my idea is to configure a DNS only for internal LAN hostname
resolution to use as primary and a secondary like 8.8.8.8 to resolv external
name (this is my simple idea) .
for the sake on completeness my dhcpd.conf is:
[root@srv-install dynamic]# cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
omapi-port 7911;
default-lease-time 43200;
max-lease-time 86400;
ddns-update-style none;
#option domain-name "e4srv";
option domain-name-servers 172.16.2.2, 8.8.8.8;
option ntp-servers none;
allow booting;
allow bootp;
option fqdn.no<http://fqdn.no/><http://fqdn.no<http://fqdn.no/>>-client-update
on; # set the "O" and "S" flag bits
option fqdn.rcode2 255;
option pxegrub code 150 = text ;
# PXE Handoff.
next-server 172.16.2.2;
filename "pxelinux.0";
log-facility local7;
include "/etc/dhcp/dhcpd.hosts";
# e4srv
subnet 172.16.2.0 netmask 255.255.255.0 {
pool
{
range 172.16.2.170 172.16.2.210;
}
option subnet-mask 255.255.255.0;
option routers 172.16.2.1;
option domain-name "e4srv";
}
# e4prod
subnet 172.16.4.0 netmask 255.255.252.0 {
pool
{
range 172.16.5.170 172.16.5.210;
}
option subnet-mask 255.255.252.0;
option routers 172.16.4.1;
option domain-name "e4prod";
}
With 2 subnet and I have no errors with DHCP.
So I try to configure DNS manually but I repeat I’m not a DNS expert so I
changed the config files as follow:
[root@srv-install dynamic]# cat /etc/named.conf
// named.conf
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
include "/etc/named/options.conf";
};
include "/etc/named.rfc1912.zones";
// Public view read by Server Admin
include "/etc/named/zones.conf";
[root@srv-install dynamic]#
This is the same configuration with one subnet/domain/zone.
So I add the new zone as follow:
[root@srv-install dynamic]# cat /etc/named/zones.conf
#OLD ZONE:
zone "2.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.2.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "e4srv" {
type master;
file "/var/named/dynamic/db.e4srv";
update-policy {
grant rndc-key zonesub ANY;
};
};
#NEW ZONE:
zone "4.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.4.16.172.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "e4prod" {
type master;
file "/var/named/dynamic/db.e4prod";
update-policy {
grant rndc-key zonesub ANY;
};
};
[root@srv-install dynamic]#
Included files are:
[root@srv-install dynamic]# cat /var/named/dynamic/db.e4prod
$ORIGIN e4prod.
$TTL 10800 ; 3 hours
e4prod. IN SOA srv-install.e4srv. root.e4hmgm. (
33 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS srv-install.e4srv.
[root@srv-install dynamic]#
[root@srv-install dynamic]# cat /var/named/dynamic/db.4.16.172.in-addr.arpa
$ORIGIN 4.16.172.in-addr.arpa.
$TTL 10800 ; 3 hours
4.16.172.in-addr.arpa. IN SOA srv-install.e4srv. root.2.16.172.in-addr.arpa. (
31 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS srv-install.e4srv.
$TTL 86400 ; 1 day
[root@srv-install dynamic]#
The Old zones files are:
[root@srv-install dynamic]# cat /var/named/dynamic/db.2.16.172.in-addr.arpa
$ORIGIN .
$TTL 10800 ; 3 hours
2.16.172.in-addr.arpa IN SOA srv-install.e4srv. root.2.16.172.in-addr.arpa. (
36 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS srv-install.e4srv.
$ORIGIN 2.16.172.in-addr.arpa.
$TTL 86400 ; 1 day
171 PTR antani01.e4srv.
175 PTR nada.e4srv.
180 PTR fantasia.e4srv.
192 PTR cromo.e4srv.
196 PTR piopio.e4srv.
199 PTR gino.e4srv.
2 PTR srv-install.e4srv.
6 PTR mona.e4srv.
[root@srv-install dynamic]#
[root@srv-install dynamic]# cat /var/named/dynamic/db.e4srv
$ORIGIN .
$TTL 10800 ; 3 hours
e4srv IN SOA srv-install.e4srv. root.e4srv. (
34 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS srv-install.e4srv.
$ORIGIN e4srv.
$TTL 86400 ; 1 day
antani01 A 172.16.2.171
cromo A 172.16.2.192
fantasia A 172.16.2.180
gino A 172.16.2.199
mona A 172.16.2.6
nada A 172.16.2.175
piopio A 172.16.2.196
$TTL 10800 ; 3 hours
srv-install A 172.16.2.2
[root@srv-install dynamic]#
With that configuration I can manually restart named without error.
So in my foreman configuration I create the new domain, the new subnet, I added
domain and subnet with the only DNS/DHCP/TFTP smart-proxy I have already
defined (I use a single server for all service in my configuration, with a
single interface IP network address).
When I create the new node in the new network/domain I receive this error from
/var/log/forema-proxy.proxy.log
D, [2016-12-09T13:10:07.027729 #1082] DEBUG -- : verifying remote client
172.16.2.2 against trusted_hosts ["srv-install.e4srv"]
D, [2016-12-09T13:10:07.028909 #1082] DEBUG -- : running /usr/bin/nsupdate -k
/etc/rndc.key
D, [2016-12-09T13:10:07.030624 #1082] DEBUG -- : nsupdate: executed - server
127.0.0.1
D, [2016-12-09T13:10:07.030710 #1082] DEBUG -- : nsupdate: executed - update
add 37.5.16.172.in-addr.arpa. 86400 PTR minion.e4prod
D, [2016-12-09T13:10:07.048025 #1082] DEBUG -- : nsupdate: errors
Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;16.172.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG
hmac-md5.sig-alg.reg.int<http://hmac-md5.sig-alg.reg.int/>. 1481285407 300 16
rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
E, [2016-12-09T13:10:07.048322 #1082] ERROR -- : Update errors: Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;16.172.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG
hmac-md5.sig-alg.reg.int<http://hmac-md5.sig-alg.reg.int/>. 1481285407 300 16
rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
D, [2016-12-09T13:10:07.048366 #1082] DEBUG -- : Update errors: Answer:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 10668
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;16.172.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
rndc-key. 0 ANY TSIG
hmac-md5.sig-alg.reg.int<http://hmac-md5.sig-alg.reg.int/>. 1481285407 300 16
rFCZNeQqGptzNj1+Lr08MQ== 10668 NOERROR 0
(Proxy::Dns::Error)
Maybe there is something wrong in dns config but I don’t understand what.
Any hint ?
Another point, what do you mean, with:
You can ofcourse add the foreman puppet modules to your puppet
environment, import then and then use them on the foreman master to add
the new subnets/domains :-)
Your idea is to install a puppet class/module from forge to manage DNS server?
Do you know a good one?
Thanks
Daniele
Il giorno 09 dic 2016, alle ore 11:14, jvandewege
<jvand...@nieuwland.nl<http://nieuwland.nl/><mailto:jvand...@nieuwland.nl<http://nieuwland.nl/>>>
ha scritto:
On 7-12-2016 16:43, Daniele Gregori (E4) wrote:
Hi all,
I’m in trouble with my foreman server, this system manages many clients that
are connected to different subnet, see the link for a skatch of the network:
https://s24.postimg.org/dr7ba31s5/Vlan_Routing.jpg
The foreman server has just one interface enabled to reach every other subnets
and I want to use it to provision every client.
I defined dhcp, tftp and dns proxy for the first subnet during the provisioning
setup and I’m able to provision client on this subnet.
Later I defined a new domain and a new subnet associate to the same
proxy-server for dns/dhcp/tftp of the first subnet but when I try create a new
host I receive this error message from the GUI:
Do you have the definition of the new subnets in your dhcp server and
dns server?
Provisioning setup does one subnet/domain only so if you define new
subnets/domains within Foreman then you also need to define those in
your dns config and in the dhcpd config.
You can ofcourse add the foreman puppet modules to your puppet
environment, import then and then use them on the foreman master to add
the new subnets/domains :-)
Joop
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
foreman-user...@googlegroups.com<http://googlegroups.com/><mailto:<mailto:foreman-users+unsubscr...@googlegroups.com>forema<mailto:foreman-users+unsubscr...@googlegroups.com>n-users+unsubscribe@<mailto:foreman-users+unsubscr...@googlegroups.com>googlegroups.com<mailto:foreman-users+unsubscr...@googlegroups.com>>.
To post to this group, send email to
forema...@googlegroups.com<http://googlegroups.com/><mailto:forema...@googlegroups.com<http://googlegroups.com/>>.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
foreman-users+unsubscr...@googlegroups.com<mailto:foreman-users+unsubscr...@googlegroups.com>.
To post to this group, send email to
foreman-users@googlegroups.com<mailto:foreman-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
