This article will detail the installation and configuration of Internet Systems Consortium DHCP Server 4.4.x
- The DHCP servers will provide dynamic IPv4 and IPv6 address assignments for network clients
- The DHCP servers will do DDNS updates of forward and reverse lookup zones with a BIND DNS name server.
- New to DHCP Server 4.4, Dual-Stack Mixed Mode (DSMM) will be enabled for DDNS update conflict detection.
DDNS When Running IPv4 and IPv6 Daemons Concurrently
ISC DHCP (as of 4.4.0) supports a new mode of DDNS conflict resolution referred to as Dual Stack Mixed Mode (DSMM).
This includes the introduction of three new configuration parameters to control DSMM behavior:
The ddns-dual-stack-mixed-mode parameter controls whether or not the server applies Dual Stack Mixed Mode rules during DDNS conflict resolution. This parameter is off by default, has no effect unless update-conflict-detection is enabled, and may only be specified at the global scope.
The ddns-other-guard-is-dynamic parameter controls whether or not a a server running DSMM will consider the presence of the other update style DHCID RR as an indication that a DNS entry may be overwritten. It should only be enabled after careful study as it allows DNS entries that would otherwise be protected as static, to be overwritten in certain cases. This parameter is off by default, has no effect unless ddns-dual-stack-mixed-mode is enabled, and may only be specified at the global scope.
The ddns-guard-id-must-match parameter controls whether or not a the client id within a DHCID RR must match that of the DNS update's client to permit DNS entries associated with that DHCID RR to be ovewritten. Proper conflict resolution requires ID matching and should only be disabled after careful consideration. When disabled, it is allows any DNS updater to replace DNS entries that have an associated DHCID RR, regardless of client identity. This parameter is on by default, has no effect unless update-conflict-detection is enabled, and may only be specified at the global scope.
In the provided examples DSMM is enabled by including the following two parameters:
ddns-dual-stack-mixed-mode true;
update-conflict-detection true;
For more detailed information on DSMM and these new parameters, refer to Using Dual-Stack Mixed Mode (DSMM) with DDNS in ISC DHCP 4.4, in ISC’s Knowledge Base.
To configure DDNS with DSMM when running IPv4 and IPv6 DHCP daemons concurrently, it is necessary to use different update styles.
In the examples provided the daemons are configured as follows:
- The IPv4 daemon will use the 'interim' TXT RR update style
- The IPv6 daemon will use the 'standard' DHCID RR update style
Install ISC DHCP 4.4 Server - net/isc-dhcp44-server
pkg install isc-dhcp44-server
ormake -C /usr/ports/net/isc-dhcp44-server/ install clean
To enable the daemons, add the following to /etc/rc.conf
substituting interface em0 with your LAN interface:
dhcpd_enable="YES"
dhcpd_ifaces="em0"
dhcpd6_enable="YES"
dhcpd6_ifaces="em0"
Configure the IPv4 DHCP Daemon
Edit /usr/local/etc/dhcpd.conf
authoritative;
### IPv4 Subnet
subnet 192.168.0.0 netmask 255.255.0.0 {
range 192.168.0.100 192.168.0.199;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1, 192.168.0.2;
option domain-search "example.org";
default-lease-time 86400;
max-lease-time 86400;
}
### DDNS Configuration
ddns-update-style interim;
ddns-dual-stack-mixed-mode true;
update-conflict-detection true;
update-optimization false;
deny client-updates;
ddns-domainname "example.org.";
ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address)));
include "/usr/local/etc/namedb/ddns-key";
zone example.org. {
primary 192.168.0.1;
key ddns-key;
}
zone 168.192.in-addr.arpa. {
primary 192.168.0.1;
key ddns-key;
}
Configure the IPv6 DHCP Daemon
Edit /usr/local/etc/dhcpd6.conf
authoritative;
### IPv6 Subnet
subnet6 2001:db8:1a2b:3c4d::/64 {
range6 2001:db8:1a2b:3c4d::100 2001:db8:1a2b:3c4d::1ff;
option dhcp6.name-servers 2001:db8:1a2b:3c4d::1, 2001:db8:1a2b:3c4d::2;
option dhcp6.domain-search "example.org";
default-lease-time 86400;
max-lease-time 86400;
}
### DDNS Configuration
ddns-update-style standard;
ddns-dual-stack-mixed-mode true;
update-conflict-detection true;
update-optimization false;
deny client-updates;
ddns-domainname "example.org.";
ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16))));
include "/usr/local/etc/namedb/ddns-key";
zone example.org. {
primary6 2001:db8:1a2b:3c4d::1;
key ddns-key;
}
zone d.4.c.3.b.2.a.1.8.b.d.0.1.0.0.2.ip6.arpa. {
primary6 2001:db8:1a2b:3c4d::1;
key ddns-key;
}
Create a TSIG key for DDNS Updates
A TSIG key is used for DDNS updates. execute the following command on the BIND master name server to create the TSIG key file as configured in the examples above:
tsig-keygen ddns-key > /usr/local/etc/namedb/ddns-key
Copy this key to the DHCP server if different from the BIND name server, adjusting the path in the provided examples to reflect your configuration.
Configure BIND to allow DDNS updates
Note: The following configuration items are to allow the DHCP server to do DDNS updates of the appropriate zones on your BIND name server.
This article does not cover the creation of those zones, and assumes they are already configured.
Add the following to /usr/local/etc/namedb/named.conf
include "/usr/local/etc/namedb/ddns-key";
and within each forward and reverse lookup zone clause that will be dynamically updated add:
allow-update { key ddns-key; };
Restart BIND to apply the changes
service named restart
Start the DHCP daemons and monitor logs ensuring IP addresses are being assigned and DDNS updates with BIND are succeeding.
service isc-dhcpd start
service isc-dhcpd6 start