[Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

MRob
Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
suggest:

pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
PreRequisites check, returning 6

The query log shows only some normal SELECT statements. If it's not a
known problem can anyone show how to find what the DNS UPDATE command is
being sent to the DNS server to diagnose?

Someone else had problem but couldn't get resolution:
https://github.com/PowerDNS/pdns/issues/5830



Also, can anyone tell me, for reverse DNS updates to work, do I need SOA
record for the reverse domain?
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

Kevin Olbrich
Am Di., 5. Feb. 2019 um 19:42 Uhr schrieb MRob <[hidden email]>:

>
> Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
> suggest:
>
> pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
> PreRequisites check, returning 6
>
> The query log shows only some normal SELECT statements. If it's not a
> known problem can anyone show how to find what the DNS UPDATE command is
> being sent to the DNS server to diagnose?
>
> Someone else had problem but couldn't get resolution:
> https://github.com/PowerDNS/pdns/issues/5830
>
>
>
> Also, can anyone tell me, for reverse DNS updates to work, do I need SOA
> record for the reverse domain?

Every zone needs SOA, even reverse zones (which are nearly the same as
forward zones).

> _______________________________________________
> Kea-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/kea-users
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

MRob

> Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
> suggest:
>
> pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
> PreRequisites check, returning 6
>
> The query log shows only some normal SELECT statements. If it's not a
> known problem can anyone show how to find what the DNS UPDATE command
> is
> being sent to the DNS server to diagnose?
>
> Someone else had problem but couldn't get resolution:
> https://github.com/PowerDNS/pdns/issues/5830

Problem seems to be using TSIG signed DNSUPDATE requests. There used to
be a Kea bug

http://kea.isc.org/ticket/5071#ticket

But the link is dead. Is that bug fixed? Is the problem with Kea or
maybe the older version of powerDNS?


Question - after I removed TSIG the initial forward and reverse
DNSUPDATE commands succeed:
DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID xxx: successfully added the
DNS mapping addition for this request: Type: 0 (CHG_ADD)

But Kea does another CHG_ADD only a minute later and it fails:
DHCP_DDNS_FORWARD_REPLACE_REJECTED DNS Request ID yyy: Server,
10.10.1.254 port:5353, rejected a DNS update request to replace the
address mapping for FQDN, wkst4.lan., with an RCODE: 8
DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID yyy: Transaction outcome
Status: Failed, Event: UPDATE_FAILED_EVT,  Forward change: failed,  
Reverse change: failed,  request: Type: 0 (CHG_ADD)

Is this a problem or can it be ignored? Is it due to setting
"override-no-update": true and "override-client-update": true?
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

Thomas Markwalder
Hello:

We migrated to gitlab, the old Trac ticket can be found here:

    https://oldkea.isc.org/ticket/5071#ticket

We did correct that particular issue in Kea 1.2.  If you are using an
earlier version,  please upgrade.
If you are already using 1.2 or later you may have uncovered something
new, in which case I would
encourage you to open a issue in gitlab:

    https://gitlab.isc.org

You'll need to register (if you haven't already) and then select the Kea
project.
We would need PCAPs of the DDNS messages plus whatever logs from
PowerDNS to start with.

Regards,

Thomas Markwalder
ISC Software Engineering


On 2/6/19 3:44 AM, MRob wrote:

>
>> Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
>> suggest:
>>
>> pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
>> PreRequisites check, returning 6
>>
>> The query log shows only some normal SELECT statements. If it's not a
>> known problem can anyone show how to find what the DNS UPDATE command is
>> being sent to the DNS server to diagnose?
>>
>> Someone else had problem but couldn't get resolution:
>> https://github.com/PowerDNS/pdns/issues/5830
>
> Problem seems to be using TSIG signed DNSUPDATE requests. There used
> to be a Kea bug
>
> http://kea.isc.org/ticket/5071#ticket
>
> But the link is dead. Is that bug fixed? Is the problem with Kea or
> maybe the older version of powerDNS?
>
>
> Question - after I removed TSIG the initial forward and reverse
> DNSUPDATE commands succeed:
> DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID xxx: successfully added
> the DNS mapping addition for this request: Type: 0 (CHG_ADD)
>
> But Kea does another CHG_ADD only a minute later and it fails:
> DHCP_DDNS_FORWARD_REPLACE_REJECTED DNS Request ID yyy: Server,
> 10.10.1.254 port:5353, rejected a DNS update request to replace the
> address mapping for FQDN, wkst4.lan., with an RCODE: 8
> DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID yyy: Transaction outcome
> Status: Failed, Event: UPDATE_FAILED_EVT,  Forward change: failed, 
> Reverse change: failed,  request: Type: 0 (CHG_ADD)
>
> Is this a problem or can it be ignored? Is it due to setting
> "override-no-update": true and "override-client-update": true?
> _______________________________________________
> Kea-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/kea-users


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

Jason Guy
I am currently using Kea DDNS with TSIG to a powerdns 4.2 authoritative server. If the TSIG string in the Kea-D2 config, matches the PDNS activated TSIG key for the various domain-id's.

The other gotcha here is the Kea D2 uses the RFC4703 conflict resolution strategy (by adding the DHCID records). In a lab environment, things that can happen where you want to 'move things around' or some other unnatural event, where the DDNS starts failing for an address because the previous ownership exists in the PDNS database with the DHCID records. It would be nice if there was a knob in kea-dhcp-ddns configuration to turn off the creation of DHCID records.

HTH,
Jason



On Wed, Feb 6, 2019 at 6:47 AM Thomas Markwalder <[hidden email]> wrote:
Hello:

We migrated to gitlab, the old Trac ticket can be found here:

    https://oldkea.isc.org/ticket/5071#ticket

We did correct that particular issue in Kea 1.2.  If you are using an
earlier version,  please upgrade.
If you are already using 1.2 or later you may have uncovered something
new, in which case I would
encourage you to open a issue in gitlab:

    https://gitlab.isc.org

You'll need to register (if you haven't already) and then select the Kea
project.
We would need PCAPs of the DDNS messages plus whatever logs from
PowerDNS to start with.

Regards,

Thomas Markwalder
ISC Software Engineering


On 2/6/19 3:44 AM, MRob wrote:
>
>> Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
>> suggest:
>>
>> pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
>> PreRequisites check, returning 6
>>
>> The query log shows only some normal SELECT statements. If it's not a
>> known problem can anyone show how to find what the DNS UPDATE command is
>> being sent to the DNS server to diagnose?
>>
>> Someone else had problem but couldn't get resolution:
>> https://github.com/PowerDNS/pdns/issues/5830
>
> Problem seems to be using TSIG signed DNSUPDATE requests. There used
> to be a Kea bug
>
> http://kea.isc.org/ticket/5071#ticket
>
> But the link is dead. Is that bug fixed? Is the problem with Kea or
> maybe the older version of powerDNS?
>
>
> Question - after I removed TSIG the initial forward and reverse
> DNSUPDATE commands succeed:
> DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID xxx: successfully added
> the DNS mapping addition for this request: Type: 0 (CHG_ADD)
>
> But Kea does another CHG_ADD only a minute later and it fails:
> DHCP_DDNS_FORWARD_REPLACE_REJECTED DNS Request ID yyy: Server,
> 10.10.1.254 port:5353, rejected a DNS update request to replace the
> address mapping for FQDN, wkst4.lan., with an RCODE: 8
> DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID yyy: Transaction outcome
> Status: Failed, Event: UPDATE_FAILED_EVT,  Forward change: failed, 
> Reverse change: failed,  request: Type: 0 (CHG_ADD)
>
> Is this a problem or can it be ignored? Is it due to setting
> "override-no-update": true and "override-client-update": true?
> _______________________________________________
> Kea-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/kea-users


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

Tomek Mrugalski
On 06.02.2019 18:03, Jason Guy wrote:
> records. It would be nice if there was a knob in kea-dhcp-ddns
> configuration to turn off the creation of DHCID records.
Can you submit a request for this?
https://gitlab.isc.org/isc-projects/kea/issues

I can't make any promises yet, but it is likely that Kea 1.7 will cover
various DDNS tweaks and features.

Thanks,
Tomek
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

Jason Guy
Hey Tomek,


If I delete the DHCID records, it should allow Kea D2 updates to continue working, right? Meaning there is no state maintained internally to Kea, the DDNS update relies on the DNS server to allow or reject the update based on the DDNS update process for PowerDNS (or whatever DNS server being used).

Thanks,
Jason

On Wed, Feb 6, 2019 at 12:19 PM Tomek Mrugalski <[hidden email]> wrote:
On 06.02.2019 18:03, Jason Guy wrote:
> records. It would be nice if there was a knob in kea-dhcp-ddns
> configuration to turn off the creation of DHCID records.
Can you submit a request for this?
https://gitlab.isc.org/isc-projects/kea/issues

I can't make any promises yet, but it is likely that Kea 1.7 will cover
various DDNS tweaks and features.

Thanks,
Tomek
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] ddns fails with powerDNS (Failed PreRequisites check)

MRob
In reply to this post by Thomas Markwalder
Thank you Thomas. I'd like to confirm that it is not a new regression in
Kea. The problem solved by upgrading powerDNS to a new version, now TSIG
DNSUPDATE working.


On 2019-02-06 11:47, Thomas Markwalder wrote:

> Hello:
>
> We migrated to gitlab, the old Trac ticket can be found here:
>
>     https://oldkea.isc.org/ticket/5071#ticket
>
> We did correct that particular issue in Kea 1.2.  If you are using an
> earlier version,  please upgrade.
> If you are already using 1.2 or later you may have uncovered something
> new, in which case I would
> encourage you to open a issue in gitlab:
>
>     https://gitlab.isc.org
>
> You'll need to register (if you haven't already) and then select the
> Kea
> project.
> We would need PCAPs of the DDNS messages plus whatever logs from
> PowerDNS to start with.
>
> Regards,
>
> Thomas Markwalder
> ISC Software Engineering
>
>
> On 2/6/19 3:44 AM, MRob wrote:
>>
>>> Has anyone found how to make kea-ddns work with PowerDNS? pdns logs
>>> suggest:
>>>
>>> pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed
>>> PreRequisites check, returning 6
>>>
>>> The query log shows only some normal SELECT statements. If it's not a
>>> known problem can anyone show how to find what the DNS UPDATE command
>>> is
>>> being sent to the DNS server to diagnose?
>>>
>>> Someone else had problem but couldn't get resolution:
>>> https://github.com/PowerDNS/pdns/issues/5830
>>
>> Problem seems to be using TSIG signed DNSUPDATE requests. There used
>> to be a Kea bug
>>
>> http://kea.isc.org/ticket/5071#ticket
>>
>> But the link is dead. Is that bug fixed? Is the problem with Kea or
>> maybe the older version of powerDNS?
>>
>>
>> Question - after I removed TSIG the initial forward and reverse
>> DNSUPDATE commands succeed:
>> DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID xxx: successfully added
>> the DNS mapping addition for this request: Type: 0 (CHG_ADD)
>>
>> But Kea does another CHG_ADD only a minute later and it fails:
>> DHCP_DDNS_FORWARD_REPLACE_REJECTED DNS Request ID yyy: Server,
>> 10.10.1.254 port:5353, rejected a DNS update request to replace the
>> address mapping for FQDN, wkst4.lan., with an RCODE: 8
>> DHCP_DDNS_ADD_FAILED DHCP_DDNS Request ID yyy: Transaction outcome
>> Status: Failed, Event: UPDATE_FAILED_EVT,  Forward change: failed, 
>> Reverse change: failed,  request: Type: 0 (CHG_ADD)
>>
>> Is this a problem or can it be ignored? Is it due to setting
>> "override-no-update": true and "override-client-update": true?
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users