IPv4 & IPv6 ISC DHCP Server on a Dual-Stack Network

This article will detail the installation and configuration of Internet Systems Consortium DHCP Server 4.4.x

  • The DHCP servers will provide dynamic IPv4 and IPv6 address assignments for network clients
  • The DHCP servers will do DDNS updates of forward and reverse lookup zones with a BIND DNS name server.
  • New to DHCP Server 4.4, Dual-Stack Mixed Mode (DSMM) will be enabled for DDNS update conflict detection.

 

DDNS When Running IPv4 and IPv6 Daemons Concurrently

ISC DHCP (as of 4.4.0) supports a new mode of DDNS conflict resolution referred to as Dual Stack Mixed Mode (DSMM).

This includes the introduction of three new configuration parameters to control DSMM behavior:

The ddns-dual-stack-mixed-mode parameter controls whether or not the server applies Dual Stack Mixed Mode rules during DDNS conflict resolution. This parameter is off by default, has no effect unless update-conflict-detection is enabled, and may only be specified at the global scope.

The ddns-other-guard-is-dynamic parameter controls whether or not a a server running DSMM will consider the presence of the other update style DHCID RR as an indication that a DNS entry may be overwritten. It should only be enabled after careful study as it allows DNS entries that would otherwise be protected as static, to be overwritten in certain cases. This parameter is off by default, has no effect unless ddns-dual-stack-mixed-mode is enabled, and may only be specified at the global scope.

The ddns-guard-id-must-match parameter controls whether or not a the client id within a DHCID RR must match that of the DNS update's client to permit DNS entries associated with that DHCID RR to be ovewritten. Proper conflict resolution requires ID matching and should only be disabled after careful consideration. When disabled, it is allows any DNS updater to replace DNS entries that have an associated DHCID RR, regardless of client identity. This parameter is on by default, has no effect unless update-conflict-detection is enabled, and may only be specified at the global scope.

In the provided examples DSMM is enabled by including the following two parameters:

ddns-dual-stack-mixed-mode true;
update-conflict-detection true;

For more detailed information on DSMM and these new parameters, refer to Using Dual-Stack Mixed Mode (DSMM) with DDNS in ISC DHCP 4.4, in ISC’s Knowledge Base.

 

To configure DDNS with DSMM when running IPv4 and IPv6 DHCP daemons concurrently, it is necessary to use different update styles.
In the examples provided the daemons are configured as follows:

  • The IPv4 daemon will use the 'interim' TXT RR update style
  • The IPv6 daemon will use the 'standard' DHCID RR update style

 

Install ISC DHCP 4.4 Server - net/isc-dhcp44-server

cd /usr/ports/net/isc-dhcp44-server/
make install clean

To enable the daemons, add the following to /etc/rc.conf substituting em1 with your LAN interface:

dhcpd_enable="YES"
dhcpd_ifaces="em1"

dhcpd6_enable="YES"
dhcpd6_ifaces="em1"

 

Configure the IPv4 DHCP Daemon

Edit /usr/local/etc/dhcpd.conf

authoritative;
default-lease-time 86400;
max-lease-time 86400;

### DDNS Configuration
ddns-update-style interim;
ddns-dual-stack-mixed-mode true;
update-conflict-detection true;
update-optimization false;
deny client-updates;
ddns-domainname "example.org.";
ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address)));

include "/usr/local/etc/namedb/ddns-key";

zone example.org. {
 primary 192.168.0.1;
 key ddns-key;
}

zone 168.192.in-addr.arpa. {
 primary 192.168.0.1;
 key ddns-key;
}
### End of DDNS Configuration

### IPv4 Subnet
subnet 192.168.0.0 netmask 255.255.0.0 {
 range 192.168.0.100 192.168.0.199;
 option routers 192.168.0.1;
 option domain-name-servers 192.168.0.1, 192.168.0.2;
 option domain-search "example.org";
}

 

Configure the IPv6 DHCP Daemon

Edit /usr/local/etc/dhcpd6.conf

authoritative;
option dhcp6.preference 255;
default-lease-time 86400;
preferred-lifetime 86400;

### DDNS Configuration
ddns-update-style standard;
ddns-dual-stack-mixed-mode true;
update-conflict-detection true;
update-optimization false;
deny client-updates;
ddns-domainname "example.org.";
ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16))));

include "/usr/local/etc/namedb/ddns-key";

zone example.org. {
 primary6 2001:db8:1a2b:3c4d::1;
 key ddns-key;
}

zone d.4.c.3.b.2.a.1.8.b.d.0.1.0.0.2.ip6.arpa. {
 primary6 2001:db8:1a2b:3c4d::1;
 key ddns-key;
}
### End of DDNS Configuration

### IPv6 Subnet
subnet6 2001:db8:1a2b:3c4d::/64 {
 range6 2001:db8:1a2b:3c4d::100 2001:db8:1a2b:3c4d::1ff;
 option dhcp6.name-servers 2001:db8:1a2b:3c4d::1, 2001:db8:1a2b:3c4d::2;
 option dhcp6.domain-search "example.org";
}

 

Create a TSIG key for DDNS Updates

A TSIG key is used for DDNS updates. execute the following command on the BIND master name server to create the TSIG key file as configured in the examples above:

tsig-keygen ddns-key > /usr/local/etc/namedb/ddns-key

Copy this key to the DHCP server if different from the BIND name server, adjusting the path in the provided examples to reflect your configuration.

 

Configure BIND to allow DDNS updates

Note: The following configuration items are to allow the DHCP server to do DDNS updates of the appropriate zones on your BIND name server.
This article does not cover the creation of those zones, and assumes they are already configured.

Add the following to /usr/local/etc/namedb/named.conf

include "/usr/local/etc/namedb/ddns-key";

and within each forward and reverse lookup zone clause that will be dynamically updated add:

allow-update { key ddns-key; };

Restart BIND to apply the changes

service named restart

 

Start the DHCP daemons and monitor logs ensuring IP addresses are being assigned and DDNS updates with BIND are succeeding.

service isc-dhcpd start

service isc-dhcpd6 start