I recently went over my network configuration and noticed that the dhcp-leases were not pushed into the IPA-DNS yet. So I thought, why not do it now. The setup is very similar to setting it up on a single bind instance not managed by IPA (I've already written a guide about this here).
My setup is done with the following hosts:
ipa01.archyslife.lan - 172.31.0.1
inf01.archyslife.lan - 172.31.0.5
First of all, create a rndc-key:
[archy@ipa01 ~]$ sudo rndc-confgen -a -b 512
This will create the following file '/etc/rndc-key'
[archy@ipa01 ~]$ sudo cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "secret_key_here==";
};
We also need to make named aware of the rndc-key and allow our remote dhcp server to write dns entries: [archy@ipa01 ~]$ sudo vim /etc/named.conf
...
include "/etc/rndc-key";
controls {
inet 172.31.0.1 port 953 allow {
172.31.0.5; } keys { "rndc-key"; };
};
...
Check the config for possible errors: [archy@ipa01 ~]$ sudo named-checkconf /etc/named.conf
If nothing is returned, the config is good and Bind can be restarted with the altered config: [archy@ipa01 ~]$ sudo ipactl restart
Grant the rndc-key permissions to edit and write new entries into the DB: [archy@ipa01 ~]$ ipa dnszone-mod archyslife.lan --dynamic-update=True --update-policy='grant ARCHYSLIFE.LAN krb5-self * A; grant ARCHYSLIFE.LAN krb5-self * AAAA; grant ARCHYSLIFE.LAN krb5-self * SSHFP; grant "rndc-key" zonesub ANY;'
If you are using a firewall, you'll need to allow port 953/tcp since the updates will run over that port. In my case, it's firewalld:
[archy@ipa01 ~]$ sudo firewall-cmd --zone=home --add-port=953/tcp --permanent
[archy@ipa01 ~]$ sudo firewall-cmd --reload
The IPA-Host is configured. Next up, the dhcp server. Start by copying the rndc-key to your dhcp-server. These keys need to be the exact same: [archy@ipa01 ~]$ scp /etc/rndc-key archy@inf01.archyslife.lan:/etc/rndc.key
Install the dhcpd-package to have a dhcp-server: [archy@inf01 ~]$ sudo yum -y install dhcpd
The next step is to edit the dhcpd.conf file.
[archy@ipa01 ~]$ sudo vim /etc/dhcp/dhcpd.conf
ddns-updates on;
ddns-update-style standard;
authoritative;
include "/etc/rndc.key";
allow unknown-clients;
default-lease-time 7200;
max-lease-time 28800;
log-facility local7;
zone archyslife.lan. {
primary 172.31.0.1;
key rndc-key;
}
zone 0.31.172.in-addr.arpa. {
primary 172.31.0.1;
key rndc-key;
}
subnet 172.31.0.0 netmask 255.255.255.0 {
range 172.31.0.100 172.31.0.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 172.31.0.1, 172.31.0.2;
option ntp-servers 172.31.0.1, 172.31.0.2;
option domain-name "archyslife.lan";
option routers 172.31.0.254;
option broadcast-address 172.31.0.255;
filename "pxelinux.0";
next-server 172.31.0.5;
}
Save and quit. Restart the dhcpd service and you are done:
[archy@inf01 ~]$ sudo systemctl restart dhcpd.service
Allow the service through the firewall so clients can obtain leases: [archy@inf01 ~]$ sudo firewall-cmd --zone=home --add-service=dhcp --permanent
[archy@inf01 ~]$ sudo firewall-cmd --reload
The setup is done, your dhcpd will now push any ddns updates and leases into the ipa dns.
Feel free to comment and / or leave suggestions.
Feel free to comment and / or leave suggestions.
Just curious. FreeIPA uses LDAP for DNS so how did you updated the named.conf? I am trying to associate the KEY with my DHCP server but I cannot seem to get past this point. I don't remember how I did it previously and now I can't update my replacement server.
ReplyDeleteThanks
Hi there,
Deleteyes you are right. FreeIPA stores the ldap dns entries in ldap format. You can show the raw entries by adding '--all --raw' to your 'ipa dnsrecord-show'.
Back to the question, you can use vim to edit the named.conf but this is not necessary since the modifications will be done in the dnszone configuration under the 'update-policy'. The only thing to do with the named.conf here is add the control section and the inclusion of the key as I've written.
To allow the key to update/add/delete entries, you'll have to update the bind policy which is set using ipa, here's a short example:
'ipa dnszone-mod archyslife.lan grant ARCHYSLIFE.LAN krb5-self * A; grant ARCHYSLIFE.LAN krb5-self * AAAA; grant ARCHYSLIFE.LAN krb5-self * SSHFP; grant "rndc-key" zonesub ANY;'