This is an addition to bind-apparmor and will automatically update bind when dhcp leases has been given out.
First check apparmor, mine looks like this:
# Last Modified: Mon Oct 6 20:46:31 2008
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/nis>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
/usr/sbin/named mr,
/var/lib/named/dev/random r,
/var/lib/named/etc/127.0.0 r,
/var/lib/named/etc/bind/named.conf r,
/var/lib/named/etc/bind/named.conf.local r,
/var/lib/named/etc/bind/rndc.key r,
/var/lib/named/etc/localhost r,
/var/lib/named/etc/localtime r,
/var/lib/named/etc/named.run a,
/var/lib/named/etc/root.hints r,
/var/lib/named/etc/sites/domingo.dk/** rw,
/var/lib/named/etc/named.run rw,
/var/lib/named/var/run/named.pid w,
}
It can be a really pain in the b*d but every time you make changes to your bind configuration (adding files and such), apparmor will block read/write access and prevent bind from working. Fortunately apparmor tells you what it has blocked so you can update your definition file and reload it.
Next is to generate a shared secret for intercommunication between dhcpd and bind:
sudo dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
Grab the key from the file:
sudo cat Kdhcp_updater.*.private|grep Key
The output will be something like this:
Key: 9B7OkWhzwA+QZMenKqChVw==
Now do some changes to /etc/bind/named.conf.local and insert our key and allow dhcp updating:
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
# Important: Replace this key with your generated key.
# Also note that the key should be surrounded by quotes.
secret "9B7OkWhzwA+QZMenKqChVw==";
};
zone "domingo.dk" IN {
type master;
file "sites/domingo.dk/forward.zone";
allow-transfer { 127.0.0.1; };
allow-update { key DHCP_UPDATER; }; # This gives dhcp the update capabilities on the zone
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
zone "1.16.172.in-addr.arpa" {
type master;
file "sites/domingo.dk/reverse.zone";
allow-transfer { 127.0.0.1; };
allow-update { key DHCP_UPDATER; }; # This gives dhcp the update capabilities on the reverse zone
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
Go into the dhcp server config file:
sudo nano /etc/dhcp3/dhcpd.conf
ddns-update-style interim;
ignore client-updates; # Overwrite client configured FQHNs
ddns-domainname "domingo.dk.";
ddns-rev-domainname "in-addr.arpa.";
one-lease-per-client false;
allow bootp;
option T150 code 150 = string;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
# Important: Replace this key with your generated key.
# Also note that the key should be surrounded by quotes.
secret "9B7OkWhzwA+QZMenKqChVw==";
};
zone domingo.dk. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 1.16.172.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
subnet 172.16.1.0 netmask 255.255.255.0 {
interface eth0;
range 172.16.1.100 172.16.1.200;
default-lease-time 6000;
max-lease-time 7200;
option domain-name "domingo.dk";
option subnet-mask 255.255.255.0;
option routers 172.16.1.1;
option domain-name-servers 172.16.1.1 , 193.162.153.164 , 194.239.134.83;
option time-offset -3600;
option ntp-servers dk.pool.ntp.org;
Now bounce the bind and dhcp services:
sudo /etc/init.d/bind9 restart sudo /etc/init.d/dhcp3-server restart
Now whenever a new lease is dealt out the DNS records should be updated accordingly.
If you grain to a halt somewhere in the process a good place to look is in the syslog:
tail -f /var/log/syslog
I don't know why but I constantly end up being blocked by apparmor. So start looking for apparmor errors in the syslog when you head into trouble.
Source: http://lani78.wordpress.com/2008/08/12/dhcp-server-update-dns-records///
Page Tools
