[Samba] dynamic DNS updates by DHCP script only for IPv4

Wed Nov 22 13:51:21 UTC 2023

Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba:
> On Wed, 22 Nov 2023 08:49:33 +0100
> Thomas Schachtner via samba<samba at lists.samba.org>  wrote:
>
>> Hi folks,
>> after having received great help from you guys, I dare to ask another
>> question here.
>> I am working with a system which has IPv6 enabled and where clients
>> should update their AAAA records as soon as they have been assigned
>> by the DHCPv6 server.
>>
>> (As a side-question: I know that DHCPv6 is not very common and that
>> SLAAC is very common, but how do that people use DNSv6 registration
>> then? Only DNS(v4) is only a workaround, given that the future may be
>> IPv6 some time and as soon as dual-stack configurations are not
>> necessary anymore, they have serious problems with name resolution of
>> their clients which have their IP addresses automatically assigned.
>> Or am I missing something?)
>>
>> I am using the script from the following page, which is working
>> perfectly fine - for IPv4 addresses:
>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
>>
>> Is there a similar script (or an extension of the current one) also
>> available for IPv6? (I don't think that I can update by myself...)
>> Or (again) am I missing some important point and my issue can be
>> solved differently?
>>
>> Best
>> Tom
>>
> I know of no script that will do what you require and have no
> inclination to alter the current script, for the following reasons:
>
> isc-dhcp-server is EOL, they now what you to use KEA instead, this, in
> my opinion, is like using the worlds largest hydraulic hammer to crack
> a nut, your opinion may differ.
> I do not have over sixteen million dhcp clients, so I do not use IPv6.
>
> If you wish to take and modify the existing script, then be my guest,
> just be aware, I will not be doing so.
>
> Rowland
If you don't mind and if I figure out how to get that done, I'll try to 
make the script also work for IPv6.
Please bear with me asking many silly questions, but I did not really 
find an answer elsewhere.
I'm also not sure if this has to do with the type of dynamic DNS updates 
anyway (at least the way I am currently doing it with the script).
I keep getting  a strange message over and over again in my logs and I 
am not sure what it means exactly (or rather why it's being generated - 
only for IPv6).
The message is:

Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe *masked*#63705: 
update 'local.example.de/IN' denied
Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of 
signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de 
type=AAAA error=insufficient access rights
Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe 
*masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone 
'local.example.de/NONE': update failed: rejected by secure update (REFUSED)

I know I only have secure updates enabled, but why do IPv4 updates work? 
(at least the log does not complain...)
I also thought it might be because the IP address is configured 
statically... (it was.)
I removed it so that it can be created dynamically, but it isn't.

But this is a completely different DNS update mechanism, right?
Do I need both, as IP addresses might be changed by the client and the 
change might then be detected by Samba which in turn should be able to 
update the DNS, right?
There's no DHCP involved..