[Samba] dynamic DNS updates by DHCP script only for IPv4
Thomas Schachtner
Thomas.schachtner at eltheim.de
Wed Nov 22 20:43:32 UTC 2023
On Wed, 22 Nov 2023 14:53:35 +0100
> Thomas Schachtner via samba<samba at lists.samba.org> wrote:
>
>>
>> Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba:
>>> On Wed, 22 Nov 2023 08:49:33 +0100
>>> Thomas Schachtner via samba<samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>> after having received great help from you guys, I dare to ask
>>>> another question here.
>>>> I am working with a system which has IPv6 enabled and where clients
>>>> should update their AAAA records as soon as they have been assigned
>>>> by the DHCPv6 server.
>>>>
>>>> (As a side-question: I know that DHCPv6 is not very common and that
>>>> SLAAC is very common, but how do that people use DNSv6 registration
>>>> then? Only DNS(v4) is only a workaround, given that the future may
>>>> be IPv6 some time and as soon as dual-stack configurations are not
>>>> necessary anymore, they have serious problems with name resolution
>>>> of their clients which have their IP addresses automatically
>>>> assigned. Or am I missing something?)
>>>>
>>>> I am using the script from the following page, which is working
>>>> perfectly fine - for IPv4 addresses:
>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
>>>>
>>>> Is there a similar script (or an extension of the current one) also
>>>> available for IPv6? (I don't think that I can update by myself...)
>>>> Or (again) am I missing some important point and my issue can be
>>>> solved differently?
>>>>
>>>> Best
>>>> Tom
>>>>
>>> I know of no script that will do what you require and have no
>>> inclination to alter the current script, for the following reasons:
>>>
>>> isc-dhcp-server is EOL, they now what you to use KEA instead, this,
>>> in my opinion, is like using the worlds largest hydraulic hammer to
>>> crack a nut, your opinion may differ.
>>> I do not have over sixteen million dhcp clients, so I do not use
>>> IPv6.
>>>
>>> If you wish to take and modify the existing script, then be my
>>> guest, just be aware, I will not be doing so.
>>>
>>> Rowland
>> If you don't mind and if I figure out how to get that done, I'll try
>> to make the script also work for IPv6.
>> Please bear with me asking many silly questions, but I did not really
>> find an answer elsewhere.
>> I'm also not sure if this has to do with the type of dynamic DNS
>> updates anyway (at least the way I am currently doing it with the
>> script). I keep getting a strange message over and over again in my
>> logs and I am not sure what it means exactly (or rather why it's
>> being generated - only for IPv6).
>> The message is:
>>
>> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe
>> *masked*#63705: update 'local.example.de/IN' denied
>> Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of
>> signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de
>> type=AAAA error=insufficient access rights
> That is an IPv6 update and it looks like that could be coming from your
> clients (Windows ??)
Yes, it's Windows. Does that mean that BIND_DLZ does not work with IPv6
updates?
IPv4 is running fine. And all the security settings seem to be
independent of the IP protocol version...
>> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe
>> *masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone
>> 'local.example.de/NONE': update failed: rejected by secure update
>> (REFUSED)
>>
>> I know I only have secure updates enabled, but why do IPv4 updates
>> work? (at least the log does not complain...)
>> I also thought it might be because the IP address is configured
>> statically... (it was.)
>> I removed it so that it can be created dynamically, but it isn't.
>>
>> But this is a completely different DNS update mechanism, right?
>> Do I need both, as IP addresses might be changed by the client and
>> the change might then be detected by Samba which in turn should be
>> able to update the DNS, right?
>> There's no DHCP involved..
> If there is no dhcp involved, then surely there is no dynamic dns
> either.
>
> I would think that you will need to modify the 'on commit' part of the
> isc-dhcp-server conf to get it to send the IPV6 address to the script
> and then modify the script to use it, good luck.
>
> But I must ask, is your organisation that large that it requires over
> sixteen and half million ipaddresses ? That is the only reason I can
> see for using IPv6 internally.
>
> Rowland
No, the organization is not that big.
The intention is to have an all-IPv6 network for education purposes.
There's no NAT necessary anymore. Any host has an "official" IP(v6)
address and can be made available on the Internet "as is", without and
port forwarding.
And as IPv6 addresses are hard to remember, it would be good to have
them available in the DNS.
All stations get fixed (=reserved) IPv6 addresses and they register
themselves in the DNS.
But it seems as if the IPv6 updates from Windows don't work correctly
with bind_dlz zones, either. Maybe it's not so easy to get it all running...
Tom
More information about the samba
mailing list