Thomas Schachtner
2023-Nov-22 13:53 UTC
[Samba] dynamic DNS updates by DHCP script only for IPv4
Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba:> On Wed, 22 Nov 2023 08:49:33 +0100 > Thomas Schachtner via samba<samba at lists.samba.org> wrote: > >> Hi folks, >> after having received great help from you guys, I dare to ask another >> question here. >> I am working with a system which has IPv6 enabled and where clients >> should update their AAAA records as soon as they have been assigned >> by the DHCPv6 server. >> >> (As a side-question: I know that DHCPv6 is not very common and that >> SLAAC is very common, but how do that people use DNSv6 registration >> then? Only DNS(v4) is only a workaround, given that the future may be >> IPv6 some time and as soon as dual-stack configurations are not >> necessary anymore, they have serious problems with name resolution of >> their clients which have their IP addresses automatically assigned. >> Or am I missing something?) >> >> I am using the script from the following page, which is working >> perfectly fine - for IPv4 addresses: >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records >> >> Is there a similar script (or an extension of the current one) also >> available for IPv6? (I don't think that I can update by myself...) >> Or (again) am I missing some important point and my issue can be >> solved differently? >> >> Best >> Tom >> > I know of no script that will do what you require and have no > inclination to alter the current script, for the following reasons: > > isc-dhcp-server is EOL, they now what you to use KEA instead, this, in > my opinion, is like using the worlds largest hydraulic hammer to crack > a nut, your opinion may differ. > I do not have over sixteen million dhcp clients, so I do not use IPv6. > > If you wish to take and modify the existing script, then be my guest, > just be aware, I will not be doing so. > > RowlandIf you don't mind and if I figure out how to get that done, I'll try to make the script also work for IPv6. Please bear with me asking many silly questions, but I did not really find an answer elsewhere. I'm also not sure if this has to do with the type of dynamic DNS updates anyway (at least the way I am currently doing it with the script). I keep getting? a strange message over and over again in my logs and I am not sure what it means exactly (or rather why it's being generated - only for IPv6). The message is: Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe *masked*#63705: update 'local.example.de/IN' denied Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de type=AAAA error=insufficient access rights Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe *masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone 'local.example.de/NONE': update failed: rejected by secure update (REFUSED) I know I only have secure updates enabled, but why do IPv4 updates work? (at least the log does not complain...) I also thought it might be because the IP address is configured statically... (it was.) I removed it so that it can be created dynamically, but it isn't. But this is a completely different DNS update mechanism, right? Do I need both, as IP addresses might be changed by the client and the change might then be detected by Samba which in turn should be able to update the DNS, right? There's no DHCP involved.. Tom
Rowland Penny
2023-Nov-22 15:23 UTC
[Samba] dynamic DNS updates by DHCP script only for IPv4
On Wed, 22 Nov 2023 14:53:35 +0100 Thomas Schachtner via samba <samba at lists.samba.org> wrote:> > > Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba: > > On Wed, 22 Nov 2023 08:49:33 +0100 > > Thomas Schachtner via samba<samba at lists.samba.org> wrote: > > > >> Hi folks, > >> after having received great help from you guys, I dare to ask > >> another question here. > >> I am working with a system which has IPv6 enabled and where clients > >> should update their AAAA records as soon as they have been assigned > >> by the DHCPv6 server. > >> > >> (As a side-question: I know that DHCPv6 is not very common and that > >> SLAAC is very common, but how do that people use DNSv6 registration > >> then? Only DNS(v4) is only a workaround, given that the future may > >> be IPv6 some time and as soon as dual-stack configurations are not > >> necessary anymore, they have serious problems with name resolution > >> of their clients which have their IP addresses automatically > >> assigned. Or am I missing something?) > >> > >> I am using the script from the following page, which is working > >> perfectly fine - for IPv4 addresses: > >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records > >> > >> Is there a similar script (or an extension of the current one) also > >> available for IPv6? (I don't think that I can update by myself...) > >> Or (again) am I missing some important point and my issue can be > >> solved differently? > >> > >> Best > >> Tom > >> > > I know of no script that will do what you require and have no > > inclination to alter the current script, for the following reasons: > > > > isc-dhcp-server is EOL, they now what you to use KEA instead, this, > > in my opinion, is like using the worlds largest hydraulic hammer to > > crack a nut, your opinion may differ. > > I do not have over sixteen million dhcp clients, so I do not use > > IPv6. > > > > If you wish to take and modify the existing script, then be my > > guest, just be aware, I will not be doing so. > > > > Rowland > If you don't mind and if I figure out how to get that done, I'll try > to make the script also work for IPv6. > Please bear with me asking many silly questions, but I did not really > find an answer elsewhere. > I'm also not sure if this has to do with the type of dynamic DNS > updates anyway (at least the way I am currently doing it with the > script). I keep getting? a strange message over and over again in my > logs and I am not sure what it means exactly (or rather why it's > being generated - only for IPv6). > The message is: > > Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe > *masked*#63705: update 'local.example.de/IN' denied > Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of > signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de > type=AAAA error=insufficient access rightsThat is an IPv6 update and it looks like that could be coming from your clients (Windows ??)> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe > *masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone > 'local.example.de/NONE': update failed: rejected by secure update > (REFUSED) > > I know I only have secure updates enabled, but why do IPv4 updates > work? (at least the log does not complain...) > I also thought it might be because the IP address is configured > statically... (it was.) > I removed it so that it can be created dynamically, but it isn't. > > But this is a completely different DNS update mechanism, right? > Do I need both, as IP addresses might be changed by the client and > the change might then be detected by Samba which in turn should be > able to update the DNS, right? > There's no DHCP involved..If there is no dhcp involved, then surely there is no dynamic dns either. I would think that you will need to modify the 'on commit' part of the isc-dhcp-server conf to get it to send the IPV6 address to the script and then modify the script to use it, good luck. But I must ask, is your organisation that large that it requires over sixteen and half million ipaddresses ? That is the only reason I can see for using IPv6 internally. Rowland