Unfortunately, getting DHCP3 and BIND9 to work together is not quite as easy as it could/should be. I found it really difficult to find any decent examples, and the docs weren't much use. DHCP's man page fails to actually explicitly tell you about certain options, instead you have to guess them from the text. I've put this here in the hope that it might be handy to some of you.
The main two config files are dhcpd.conf and
named.conf. Here they are:
# /etc/dhcp/dhcpd.conf
##################################################################
server-identifier zenith.example.com;
authoritative;
# this is the most important line. It specifies the method
# to use to connect to the DNS server and update it.
ddns-update-style interim;
# this has to be the same key as is used in named.conf
key mykey {
algorithm hmac-md5;
secret "secret_md5_hash";
};
# this section describes what key to use in what zone
zone example.com. {
primary 192.168.0.9;
key mykey;
}
zone 0.168.192.in-addr.arpa. {
primary 192.168.0.9;
key mykey;
}
# and this section holds all the options for the subnet listed,
# including the range of addresses to lease out, gateways etc.
subnet 192.168.0.0 netmask 255.255.255.0 {
# use these addresses:
range 192.168.0.10 192.168.0.20;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option domain-name "example.com";
one-lease-per-client on;
default-lease-time 14400;
max-lease-time 14401;
option ip-forwarding off;
option time-offset -18000;
# set a few handy default options
option routers 192.168.0.9;
option domain-name-servers 192.168.0.9;
option smtp-server 192.168.0.9;
option netbios-name-servers 192.168.0.9;
}
##################################################################
/ /etc/bind/named.conf
//////////////////////////////////////////////////////////////////
/ First off is the key. To modify the running DNS server
you need
// this, the same as in the dhcpd.conf file.
key mykey {
algorithm hmac-md5;
secret "secret_md5_hash";
};
/ Next the access control section, we allow the 192.168.0.0-255
//subnet, and localhost.
acl "home" { 192.168.0.0/24; 127.0.0.1;};
/ Some general options, including who to forward queries
you can't
// resolve to. (in this case they are claranet's dns servers.)
options {
directory "/var/bind/"; //Working
directory
pid-file "/var/run/named/named.pid";
allow-query { "home"; };
forwarders { 195.8.69.7; 195.8.69.12; };
};
// You need this section to allow the communication between
// daemons. (dhcp and bind)
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; 192.168.0.9; } keys { "mykey";
};
};
/ And then you have pretty much standard zones, except
for the
// fact that the key specified at the top is allowed
to modify the
// domain zone and reverse zone at the bottom.
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
notify no;
};
zone "example.com" {
type master;
notify no;
file "/var/bind/example.com";
allow-update { key mykey; };
};
zone "0.168.192.in-addr.arpa"{
type master;
notify no;
file "/var/bind/example.com.rev";
allow-update { key mykey; };
};
zone "." {
type hint;
file "named.ca";
};
//////////////////////////////////////////////////////////////////
You can generate the keys with dnssec-keygen,
and you may well need to use
rndc-confgen to generate the config for rndc, the dns control
program. You should make sure you use the same md5 key in that as well.
Originally, I didn't include my zone files here, mainly due to a lack of understanding. I've now got the DNS and BIND O'Reilly book though, and have discovered that things are actually fairly simple.
Here is my home.hosts file.
; ; SOA: Start of authority record - this NS is the best source of info in this ; zone (See DNS and Bind book, ch 4.) ; $ORIGIN . $TTL 86400 ; 1 day example.com. IN SOA example.com. nadir.example.com. ( 2000111383 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) ; ; Name servers: same domain name as origin. ; IN NS nadir.example.com. ; ; Name to address mappings follow. Address to name mappings can be found in ; home.hosts.rev ; ; Put any addresses you want fixed here. Dynamically set addresses will appear ; below. ; nadir.example.com IN A 192.168.0.254
Here is home.hosts.rev
; ; SOA section: like above only maps addresses to names. ; $ORIGIN . $TTL 86400 ; 1 day 0.168.192.in-addr.arpa IN SOA example.com. nadir.example.com. ( 2000107274 ; serial 28800 ; refresh (8 hours) 14400 ; retry (4 hours) 3024000 ; expire (5 weeks) 86400 ; minimum (1 day) ) ; ; Name Servers ; IN NS nadir.example.com. ; ; Fixed addresses, followed by DDNS inserted mappings. ; 254.0.168.192.in-addr.arpa. PTR nadir.example.com.
This setup works for me, and allows both forward and reverse lookups.
What to do if DNS fails to update:
/var/bind. (Thanks Alex!)pump -h hostname. If you use dhclient, then make sure you have a
line reading:
send host-name "hostname"in your
dhclient.conf.I'm no expert, and I may well have done something very stupid, or missed something altogether. Please tell me if I have, and I'll tweak this. I used the domain example.com for security reasons, and because everyone else does. Have fun :-)