[Samba] dynamic DNS updates by DHCP script only for IPv4

Wed Nov 22 15:23:13 UTC 2023

On Wed, 22 Nov 2023 14:53:35 +0100
Thomas Schachtner via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba:
> > On Wed, 22 Nov 2023 08:49:33 +0100
> > Thomas Schachtner via samba<samba at lists.samba.org>  wrote:
> >
> >> Hi folks,
> >> after having received great help from you guys, I dare to ask
> >> another question here.
> >> I am working with a system which has IPv6 enabled and where clients
> >> should update their AAAA records as soon as they have been assigned
> >> by the DHCPv6 server.
> >>
> >> (As a side-question: I know that DHCPv6 is not very common and that
> >> SLAAC is very common, but how do that people use DNSv6 registration
> >> then? Only DNS(v4) is only a workaround, given that the future may
> >> be IPv6 some time and as soon as dual-stack configurations are not
> >> necessary anymore, they have serious problems with name resolution
> >> of their clients which have their IP addresses automatically
> >> assigned. Or am I missing something?)
> >>
> >> I am using the script from the following page, which is working
> >> perfectly fine - for IPv4 addresses:
> >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
> >>
> >> Is there a similar script (or an extension of the current one) also
> >> available for IPv6? (I don't think that I can update by myself...)
> >> Or (again) am I missing some important point and my issue can be
> >> solved differently?
> >>
> >> Best
> >> Tom
> >>
> > I know of no script that will do what you require and have no
> > inclination to alter the current script, for the following reasons:
> >
> > isc-dhcp-server is EOL, they now what you to use KEA instead, this,
> > in my opinion, is like using the worlds largest hydraulic hammer to
> > crack a nut, your opinion may differ.
> > I do not have over sixteen million dhcp clients, so I do not use
> > IPv6.
> >
> > If you wish to take and modify the existing script, then be my
> > guest, just be aware, I will not be doing so.
> >
> > Rowland
> If you don't mind and if I figure out how to get that done, I'll try
> to make the script also work for IPv6.
> Please bear with me asking many silly questions, but I did not really 
> find an answer elsewhere.
> I'm also not sure if this has to do with the type of dynamic DNS
> updates anyway (at least the way I am currently doing it with the
> script). I keep getting  a strange message over and over again in my
> logs and I am not sure what it means exactly (or rather why it's
> being generated - only for IPv6).
> The message is:
> 
> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe
> *masked*#63705: update 'local.example.de/IN' denied
> Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of 
> signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de 
> type=AAAA error=insufficient access rights

That is an IPv6 update and it looks like that could be coming from your
clients (Windows ??)

> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe 
> *masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone 
> 'local.example.de/NONE': update failed: rejected by secure update
> (REFUSED)
> 
> I know I only have secure updates enabled, but why do IPv4 updates
> work? (at least the log does not complain...)
> I also thought it might be because the IP address is configured 
> statically... (it was.)
> I removed it so that it can be created dynamically, but it isn't.
> 
> But this is a completely different DNS update mechanism, right?
> Do I need both, as IP addresses might be changed by the client and
> the change might then be detected by Samba which in turn should be
> able to update the DNS, right?
> There's no DHCP involved..

If there is no dhcp involved, then surely there is no dynamic dns
either.

I would think that you will need to modify the 'on commit' part of the
isc-dhcp-server conf to get it to send the IPV6 address to the script
and then modify the script to use it, good luck.

But I must ask, is your organisation that large that it requires over
sixteen and half million ipaddresses ? That is the only reason I can
see for using IPv6 internally.

Rowland