# DDNS trouble, permission denied adding forward map

## pettsson

Hi all,

I cannot get DDNS working on my network. My setup consists of two servers, 192.168.0.1/Srv1 and 192.168.0.2/Srv2. Srv1 is a router/external services (such as Apache/MTA) server, and Srv2 handles internal services (Login, DHCP, DNS). 

Srv2 has Dhcpd and Bind installed, with the configs listed at the bottom of the post. When I connect a client and start a DHCP client, I get an IP, but nothing is written to the zone files. /var/log/messages contains this:

```

Apr 28 23:18:00 srv2 dhcpd: Unable to add forward map from client.mydomain.com to 192.168.0.100: connection refused

Apr 28 23:18:00 srv2 dhcpd: DHCPREQUEST for 192.168.0.100 from 00:50:8b:8b:78:70 via eth0

Apr 28 23:18:00 srv2 dhcpd: DHCPACK on 192.168.0.100 to 00:50:8b:8b:78:70 via eth0

```

I've tried following a multitude of guides on DDNS, but none have helped. The named user has full access to the zone files. Any other info you need to troubleshoot this?

What could be wrong?

Best regards

```

# /etc/dhcp/dhcpd.conf

server-identifier 192.168.0.2;

option domain-name-servers 192.168.0.2;

authoritative;

ddns-updates on;

ddns-update-style interim;

update-static-leases on;

key dhcpupdate {

        algorithm hmac-md5;

        secret mysecret;

}

zone 0.168.192.in-addr.arpa {

        primary 192.168.0.2;

        key dhcpupdate;

}

zone mydomain.com {

        primary 192.168.0.2;

        key dhcpupdate;

}

default-lease-time 86400;

max-lease-time 86400;

subnet 192.168.0.0 netmask 255.255.255.0 {

        ddns-domainname "mydomain.com";

        ddns-rev-domainname "in-addr.arpa";

        option routers 192.168.0.1;

        range 192.168.0.10 192.168.0.100;

        # Many group statements

}

```

```

# /etc/bind/named.conf

key dhcpupdate {

        algorithm hmac-md5;

        secret "mysecret";

};

acl "myacl" {

        192.168.0.0/24;

        127.0.0.1;

};

options {

        directory "/var/bind/";

        pid-file "/var/run/named/named.pid";

        forwarders { 

                192.168.0.1;

        };

        listen-on {

                127.0.0.1;

                192.168.0.1;

        };

        allow-query { "myacl"; };

};

zone "." {

        type hint;

        file "named.ca";

};

zone "mydomain.com" IN {

        type master;

        file "pri/mydomain.com";

        allow-update { key "dhcpupdate"; };

};

zone "0.168.192.in-addr.arpa" IN {

        type master;

        file "pri/192.168.0.rev";

        allow-update { key "dhcpupdate"; };

};

zone "localhost" IN {

        type master;

        file "pri/localhost";

        allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {

        type master;

        file "pri/localhost.rev";

        allow-update { none; };

};

```

----------

## Spooky Ghost

I have this working ok on my system but I do have a few extra lines and I don't know if these make a difference:

dhcpd.conf:

```

ddns-hostname = pick (option fqdn.hostname, option host-name);

ddns-domainname "mydomain.com";

ddns-ttl 3600;

ignore client-updates;

```

You probably want the ttl to match your lease time.  My zone definition in named.conf

```

zone "mydomain.com" {

        type master;

        file "pri/mydomain.com.zone";

        update-policy {

                deny * name nameserver.mydomain.com. ANY;   # This record is protected from updates

                grant dhcpupdate wildcard *.mydomain.com. ANY;  # Any other records are ok to update

        };

};

```

----------

## pettsson

Thanks! 

After a bit of troubleshooting I found the problem was because the rndc key wasn't set up properly. However...

I've redone and cleaned up my configs a bit, and poked around some. There is even some progress... That is, there is a new error message  :Confused: 

When I connect a client, I now get this:

```

May 14 10:59:42 srv2 dhcpd: Unable to add forward map from client.mydomain.com. to 192.168.0.11: bad DNS key

May 14 10:59:42 srv2 dhcpd: DHCPREQUEST for 192.168.0.11 from 00:50:8b:8b:78:70 via eth0

May 14 10:59:42 srv2 dhcpd: DHCPACK on 192.168.0.11 to 00:50:8b:8b:78:70 via eth0

```

I don't get it... I've even regenerated new keys just to make certain they are really correct, and checked and double-checked the configs. wth?

dhcpd.conf:

```

server-identifier 192.168.0.2;

option domain-name-servers 192.168.0.2;

ddns-hostname=pick(option fqdn.hostname, option host-name);

ddns-domainname "mydomain.com.";

ddns-rev-domainname "in-addr.arpa.";

ddns-ttl 3600;

ddns-updates on;

ddns-update-style interim;

#allow client-updates;

authoritative;

update-static-leases on;

key srv2.mydomain.com. {

        algorithm hmac-md5;

        secret "MyTopSecretSecret";

}

key rndc-key {

        algorithm hmac-md5;

        secret "OMG-Secret";

}

zone 0.168.192.in-addr.arpa. {

        primary 192.168.0.1;

        key srv2.mydomain.com.;

}

zone mydomain.com. {

        primary 192.168.0.1;

        key srv2.mydomain.com.;

}

default-lease-time 86400;

max-lease-time 86400;

subnet 192.168.0.0 netmask 255.255.255.0 {

        option domain-name "kluster.dask";

        option routers 192.168.0.1;

        range 192.168.0.10 192.168.0.100;

# Hosts/Groups

}

```

named.conf

```

key srv2.mydomain.com. {

        algorithm hmac-md5;

        secret "MyTopSecretSecret";

};

key rndc-key {

       algorithm hmac-md5;

       secret "OMG-Secret";

};

acl "mydomain" {

        192.168.0.0/24;

        127.0.0.1;

};

controls {

       inet 127.0.0.1 port 953

              allow { 127.0.0.1; 192.168.0.2; } keys { "rndc-key"; };

};

options {

        directory "/var/bind/";

        pid-file "/var/run/named/named.pid";

        forwarders { 

                192.168.0.1;

        };

        listen-on {

                127.0.0.1;

                192.168.0.2;

        };

        allow-query { "mydomain"; };

};

zone "." {

        type hint;

        file "named.ca";

};

zone "mydomain.com" IN {

        type master;

        file "pri/mydomain.com";

#       allow-update { key "srv2.mydomain.com."; };

        update-policy { grant srv2.mydomain.com. subdomain mydomain.com. ANY; };

};

zone "0.168.192.in-addr.arpa" IN {

        type master;

        file "pri/192.168.0.rev";

#       allow-update { key "srv2.mydomain.com."; };

        update-policy { grant srv2.mydomain.com. subdomain 0.168.192.in-addr.arpa ANY; };

};

zone "localhost" IN {

        type master;

        file "pri/localhost";

        allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {

        type master;

        file "pri/localhost.rev";

        allow-update { none; };

};

```

----------

