samba - Feb 2017 - DDNS-filover in wiki

Hi Rowland,

you added the failover to your wiki:

 https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

It would be a good idea to explain some things. In your script you are
using the port 519 and 520 for the failover:
--------------
failover peer "dhcp-failover" {
  primary;
  address dc1.samdom.example.com;
  port 519;
  peer address dc2.samdom.example.com;
  peer port 520;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 128;
  load balance max seconds 3;
}
--------------
Why are you using this ports?
Are this ports TCP or UDP?
Will they be opened automatically?

A short explanation would be good. As I told you before, it's one of the
best howtos in the wiki.


Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170227/33a00749/signature.sig>

On Mon, 27 Feb 2017 11:07:26 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> you added the failover to your wiki:
> 
> 
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> 
> It would be a good idea to explain some things. In your script you are
> using the port 519 and 520 for the failover:
> --------------
> failover peer "dhcp-failover" {
>   primary;
>   address dc1.samdom.example.com;
>   port 519;
>   peer address dc2.samdom.example.com;
>   peer port 520;
>   max-response-delay 60;
>   max-unacked-updates 10;
>   mclt 3600;
>   split 128;
>   load balance max seconds 3;
> }
> --------------
> Why are you using this ports?
I actually wrote the failover notes sometime ago, they just never made
it to the wiki. If I remember correctly, the information came from 'man
dhcpd.conf' and at that time the recommended ports were '519' &
'520'
> Are this ports TCP or UDP?
TCP
> Will they be opened automatically?
I think you mean in the firewall, don't really know because I don't use
a firewall, but I wouldn't have thought so.
> 
> A short explanation would be good. As I told you before, it's one of
> the best howtos in the wiki.
Your post made me check the manpage again and, as usual, things have
changed, so I will do some testing based on the changes and then
update the wiki page.

Rowland

Hai Rowland. 

Something to add also for the wiki. 

Also a notice, if your using SELinux or AppArmor, make sure these ports are know
by these programs.
And dont forget firewalls to open these ports. 

Also a thing if  your running your own dns, open port 53 TCP and UDP.
If a UDP port 53 response is larger than 512 bytes then it may be truncated or
then DNS falls back to using TCP

And setting an increase size for udp help edns requests. 
edns-udp-size 4096 ;


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania
via
> samba
> Verzonden: maandag 27 februari 2017 11:07
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] DDNS-filover in wiki
> 
> Hi Rowland,
> 
> you added the failover to your wiki:
> 
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with
> _BIND9
> 
> It would be a good idea to explain some things. In your script you are
> using the port 519 and 520 for the failover:
> --------------
> failover peer "dhcp-failover" {
>   primary;
>   address dc1.samdom.example.com;
>   port 519;
>   peer address dc2.samdom.example.com;
>   peer port 520;
>   max-response-delay 60;
>   max-unacked-updates 10;
>   mclt 3600;
>   split 128;
>   load balance max seconds 3;
> }
> --------------
> Why are you using this ports?
> Are this ports TCP or UDP?
> Will they be opened automatically?
> 
> A short explanation would be good. As I told you before, it's one of
the
> best howtos in the wiki.
> 
> 
> Stefan
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Am 27.02.2017 um 11:07 schrieb Stefan Kania via samba:
> Hi Rowland,
> 
> you added the failover to your wiki:
I think I found a little bug in your howto. You defined the part for the
failover:
## Primary ##
failover peer "dhcp-failover" {
  primary;
  address dc1.samdom.example.com;
  peer address dc2.samdom.example.com;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 128;
  load balance max seconds 3;
}
##########

## Secondary ##
failover peer "dhcp-failover" {
  secondary;
  address dc2.samdom.example.com;
  peer address dc1.samdom.example.com;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  load balance max seconds 3;
}
##########

On the webpage of isc:
https://kb.isc.org/article/AA-00502/0/A-Basic-Guide-to-Configuring-DHCP-Failover.html

they said:
------------
The parameter mclt (Maximum Client Lead Time) must be defined on the
primary.  It must NOT be defined on the secondary.
------------

One more thing:
Maybe it would be a good idea to mention, that the "failover peer
"dhcp-failover" " section must be defined before the
subnet-section. If
you put it after the subnet-section the dhcp-server will not start.


Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170302/c35f248a/signature.sig>

On Thu, 2 Mar 2017 17:31:47 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
> I think I found a little bug in your howto. You defined the part for
> the failover:
> 
> ## Secondary ##
> failover peer "dhcp-failover" {
>   secondary;
>   address dc2.samdom.example.com;
>   peer address dc1.samdom.example.com;
>   max-response-delay 60;
>   max-unacked-updates 10;
>   mclt 3600;
>   load balance max seconds 3;
> }
> 
> The parameter mclt (Maximum Client Lead Time) must be defined on the
> primary.  It must NOT be defined on the secondary.
> ------------
> 
> One more thing:
> Maybe it would be a good idea to mention, that the "failover peer
> "dhcp-failover" " section must be defined before the
subnet-section.
> If you put it after the subnet-section the dhcp-server will not start.
> 
Both fixed, though in mitigation for 'mclt 3600', I just 'cut &
pasted' the portions from my running dhcpd.conf files ;-)

Rowland