[Samba] dynamic DNS updates by DHCP script only for IPv4
Thomas Schachtner
Thomas.schachtner at eltheim.de
Wed Nov 22 21:29:40 UTC 2023
Am 22.11.2023 um 22:09 schrieb Rowland Penny via samba:
> On Wed, 22 Nov 2023 21:43:32 +0100
> Thomas Schachtner via samba<samba at lists.samba.org> wrote:
>
>> On Wed, 22 Nov 2023 14:53:35 +0100
>>> Thomas Schachtner via samba<samba at lists.samba.org> wrote:
>>>
>>>> Am 22.11.2023 um 09:56 schrieb Rowland Penny via samba:
>>>>> On Wed, 22 Nov 2023 08:49:33 +0100
>>>>> Thomas Schachtner via samba<samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi folks,
>>>>>> after having received great help from you guys, I dare to ask
>>>>>> another question here.
>>>>>> I am working with a system which has IPv6 enabled and where
>>>>>> clients should update their AAAA records as soon as they have
>>>>>> been assigned by the DHCPv6 server.
>>>>>>
>>>>>> (As a side-question: I know that DHCPv6 is not very common and
>>>>>> that SLAAC is very common, but how do that people use DNSv6
>>>>>> registration then? Only DNS(v4) is only a workaround, given that
>>>>>> the future may be IPv6 some time and as soon as dual-stack
>>>>>> configurations are not necessary anymore, they have serious
>>>>>> problems with name resolution of their clients which have their
>>>>>> IP addresses automatically assigned. Or am I missing something?)
>>>>>>
>>>>>> I am using the script from the following page, which is working
>>>>>> perfectly fine - for IPv4 addresses:
>>>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
>>>>>>
>>>>>> Is there a similar script (or an extension of the current one)
>>>>>> also available for IPv6? (I don't think that I can update by
>>>>>> myself...) Or (again) am I missing some important point and my
>>>>>> issue can be solved differently?
>>>>>>
>>>>>> Best
>>>>>> Tom
>>>>>>
>>>>> I know of no script that will do what you require and have no
>>>>> inclination to alter the current script, for the following
>>>>> reasons:
>>>>>
>>>>> isc-dhcp-server is EOL, they now what you to use KEA instead,
>>>>> this, in my opinion, is like using the worlds largest hydraulic
>>>>> hammer to crack a nut, your opinion may differ.
>>>>> I do not have over sixteen million dhcp clients, so I do not use
>>>>> IPv6.
>>>>>
>>>>> If you wish to take and modify the existing script, then be my
>>>>> guest, just be aware, I will not be doing so.
>>>>>
>>>>> Rowland
>>>> If you don't mind and if I figure out how to get that done, I'll
>>>> try to make the script also work for IPv6.
>>>> Please bear with me asking many silly questions, but I did not
>>>> really find an answer elsewhere.
>>>> I'm also not sure if this has to do with the type of dynamic DNS
>>>> updates anyway (at least the way I am currently doing it with the
>>>> script). I keep getting a strange message over and over again in
>>>> my logs and I am not sure what it means exactly (or rather why it's
>>>> being generated - only for IPv6).
>>>> The message is:
>>>>
>>>> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe
>>>> *masked*#63705: update 'local.example.de/IN' denied
>>>> Nov 22 14:31:04 dc1 named[1298]: samba_dlz: disallowing update of
>>>> signer=CORE-I7\$\@LOCAL.EXAMPLE.DE name=core-i7.local.example.de
>>>> type=AAAA error=insufficient access rights
>>> That is an IPv6 update and it looks like that could be coming from
>>> your clients (Windows ??)
>> Yes, it's Windows. Does that mean that BIND_DLZ does not work with
>> IPv6 updates?
> I have no knowledge if that is the case, but I do not see any reason
> why it wouldn't work.
> What I was referring to was that your client is bypassing the script
> and trying to update its own IPv6 record in AD.
>
>> IPv4 is running fine. And all the security settings seem to be
>> independent of the IP protocol version...
>>>> Nov 22 14:31:04 dc1 named[1298]: client @0x7f0f6d52cafe
>>>> *masked*#50873/key CORE-I7\$\@LOCAL.EXAMPLE.DE: updating zone
>>>> 'local.example.de/NONE': update failed: rejected by secure update
>>>> (REFUSED)
>>>>
>>>> I know I only have secure updates enabled, but why do IPv4 updates
>>>> work? (at least the log does not complain...)
>>>> I also thought it might be because the IP address is configured
>>>> statically... (it was.)
>>>> I removed it so that it can be created dynamically, but it isn't.
>>>>
>>>> But this is a completely different DNS update mechanism, right?
>>>> Do I need both, as IP addresses might be changed by the client and
>>>> the change might then be detected by Samba which in turn should be
>>>> able to update the DNS, right?
>>>> There's no DHCP involved..
>>> If there is no dhcp involved, then surely there is no dynamic dns
>>> either.
>>>
>>> I would think that you will need to modify the 'on commit' part of
>>> the isc-dhcp-server conf to get it to send the IPV6 address to the
>>> script and then modify the script to use it, good luck.
>>>
>>> But I must ask, is your organisation that large that it requires
>>> over sixteen and half million ipaddresses ? That is the only reason
>>> I can see for using IPv6 internally.
>>>
>>> Rowland
>> No, the organization is not that big.
>> The intention is to have an all-IPv6 network for education purposes.
> I see.
>
>> There's no NAT necessary anymore. Any host has an "official" IP(v6)
>> address and can be made available on the Internet "as is", without
>> and port forwarding.
> Excuse me, but 'AAAARRRRRGGGHH'
>
> Have you ever heard of those things called VPNs ?
> Do you understand why people use them ?
> There is zero chance that I personally would expose any computer
> directly on the internet.
> There is also the fact that your connection to the internet (presumably
> some form of router) will probably have an external ipaddress.
>
VPNs will not teach how IPv6 is working.
It's difficult do explain things like prefix delegations when people
connect via VPN and do not actually use it. Also, when exposing 25 web
servers for a lab session, it's quite complicated to make them publicly
available using a reverse proxy or port forwarding rules. It's
awkward... It's difficult to learn how IPv6 is working when hiding many
functions of IPv6. I agree with you: I am also not sure if I would
activate IPv6 for all end user's workstations in a production
environment... But that's not the point here.
>> And as IPv6 addresses are hard to remember, it would be good to have
>> them available in the DNS.
>> All stations get fixed (=reserved) IPv6 addresses and they register
>> themselves in the DNS.
>>
>> But it seems as if the IPv6 updates from Windows don't work correctly
>> with bind_dlz zones, either. Maybe it's not so easy to get it all
>> running...
> Windows computers do not actually need a script to update the dns, they
> can do it themselves, if you do use a script, you have to stop the
> Windows computers from updating their own records.
>
> Rowland
I understand that there are two update mechanisms then which might
interfere with each other.
But there are different usage scenarios:
- Non-AD computers will receive their IP addresses from the DHCP server.
It would be great if they were available in the DNS. That's what the
script is taking care of.
- AD computers which have static IP addresses are not visible to the
DHCP server. If such a device is either changing its name or its IP
address, probably no one thinks of manually changing the values in the
DNS server. In this case, it would be good if the Active Directory (or:
the Winodws client) takes care of that job.
Can they both be addressed without getting into trouble?
Tom
More information about the samba
mailing list