Multi-homed forward zone DDNS updates always sent out the same network interface

Question

I have a multi-homed server 'dhcp1' with network interfaces '192.168.10.151' (eth0) and '192.168.0.151' (eth1). The machine is attempting to use DDNS with a name server 'ns1' having network interfaces '192.168.10.131' (eth0) and '192.168.0.131' (eth1). Hopefully these are the relevant sections of my dhcpd.conf:

ddns-update-style interim;

key DHCP_UPDATER {
    algorithm HMAC-MD5;
    secret "A6...==";
};

# The 'private' network.
subnet 192.168.10.0 netmask 255.255.255.0 {
  zone example.com. {
    primary 192.168.10.131;
    key DHCP_UPDATER;
  }

  zone 10.168.192.in-addr.arpa. {
    primary 192.168.10.131;
    key DHCP_UPDATER;
  }

  ddns-domainname "example.com.";
  ddns-rev-domainname "in-addr.arpa.";
  option domain-name "example.com";

  host client-private {
    hardware ethernet ...;
    fixed-address 192.168.10.13;
  }
  ...
}

# The 'public' network.
subnet 192.168.0.0 netmask 255.255.255.0 {
  zone example.com. {
    primary 192.168.0.131;
    key DHCP_UPDATER;
  }

  zone 0.168.192.in-addr.arpa. {
    primary 192.168.0.131;
    key DHCP_UPDATER;
  }

  ddns-domainname "example.com.";
  ddns-rev-domainname "in-addr.arpa.";
  option domain-name "example.com";

  host client-public {
    hardware ethernet ...;
    fixed-address 192.168.0.13;
  }
  ...
}

The 'ns1' server runs two instances of 'named'- one listening on the loopback & private network interfaces, while the other instance listens on the public interface.

Starting the first instance yields:

May 10 01:24:32 ns1 named[6610]: starting BIND 9.8.1-P1 -u bind
May 10 01:24:32 ns1 named[6610]: built with '--prefix=/usr' '--mandir=/usr/share/man'     '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
May 10 01:24:32 ns1 named[6610]: adjusted limit on open files from 4096 to 1048576
May 10 01:24:32 ns1 named[6610]: found 2 CPUs, using 2 worker threads
May 10 01:24:32 ns1 named[6610]: using up to 4096 sockets
May 10 01:24:32 ns1 named[6610]: loading configuration from '/etc/bind/named.conf'
May 10 01:24:32 ns1 named[6610]: reading built-in trusted keys from file '/etc/bind/bind.keys'
May 10 01:24:32 ns1 named[6610]: using default UDP/IPv4 port range: [1024, 65535]
May 10 01:24:32 ns1 named[6610]: using default UDP/IPv6 port range: [1024, 65535]
May 10 01:24:32 ns1 named[6610]: listening on IPv4 interface lo, 127.0.0.1#53
May 10 01:24:32 ns1 named[6610]: listening on IPv4 interface eth0, 192.168.10.131#53
May 10 01:24:32 ns1 named[6610]: generating session key for dynamic DNS
May 10 01:24:32 ns1 named[6610]: sizing zone task pool based on 7 zones
May 10 01:24:32 ns1 named[6610]: set up managed keys zone for view _default, file 'managed-keys.bind'
May 10 01:24:32 ns1 named[6610]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 254.169.IN-ADDR.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: D.F.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 8.E.F.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 9.E.F.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: A.E.F.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: B.E.F.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
May 10 01:24:32 ns1 named[6610]: command channel listening on 127.0.0.1#953
May 10 01:24:32 ns1 named[6610]: couldn't add command channel ::1#953: address not available
May 10 01:24:32 ns1 named[6610]: zone 0.in-addr.arpa/IN: loaded serial 1
May 10 01:24:32 ns1 named[6610]: zone 127.in-addr.arpa/IN: loaded serial 1
May 10 01:24:32 ns1 named[6610]: zone 10.168.192.in-addr.arpa/IN: loaded serial 2013092337
May 10 01:24:32 ns1 named[6610]: zone 255.in-addr.arpa/IN: loaded serial 1
May 10 01:24:32 ns1 named[6610]: zone localhost/IN: loaded serial 2
May 10 01:24:32 ns1 named[6610]: zone example.com/IN: loaded serial 2013092554
May 10 01:24:32 ns1 named[6610]: managed-keys-zone ./IN: loaded serial 59
May 10 01:24:32 ns1 named[6610]: zone example.com/IN: sending notifies (serial 2013092554)
May 10 01:24:32 ns1 named[6610]: zone 10.168.192.in-addr.arpa/IN: sending notifies (serial 2013092337)
May 10 01:24:32 ns1 named[6610]: running

Starting the second instance yeilds:

May 10 01:24:54 ns1 named[6635]: starting BIND 9.8.1-P1 -u bind -c /etc/bind/named-1.conf
May 10 01:24:54 ns1 named[6635]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
May 10 01:24:54 ns1 named[6635]: adjusted limit on open files from 4096 to 1048576
May 10 01:24:54 ns1 named[6635]: found 2 CPUs, using 2 worker threads
May 10 01:24:54 ns1 named[6635]: using up to 4096 sockets
May 10 01:24:54 ns1 named[6635]: loading configuration from '/etc/bind/named-1.conf'
May 10 01:24:54 ns1 named[6635]: reading built-in trusted keys from file '/etc/bind/bind.keys'
May 10 01:24:54 ns1 named[6635]: using default UDP/IPv4 port range: [1024, 65535]
May 10 01:24:54 ns1 named[6635]: using default UDP/IPv6 port range: [1024, 65535]
May 10 01:24:54 ns1 named[6635]: listening on IPv4 interface eth1, 192.168.0.131#53
May 10 01:24:54 ns1 named[6635]: generating session key for dynamic DNS
May 10 01:24:54 ns1 named[6635]: sizing zone task pool based on 7 zones
May 10 01:24:54 ns1 named[6635]: set up managed keys zone for view _default, file 'managed-keys.bind'
May 10 01:24:54 ns1 named[6635]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 254.169.IN-ADDR.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: D.F.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 8.E.F.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 9.E.F.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: A.E.F.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: B.E.F.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
May 10 01:24:54 ns1 named[6635]: command channel listening on 192.168.0.131#953
May 10 01:24:54 ns1 named[6635]: zone 0.in-addr.arpa/IN: loaded serial 1
May 10 01:24:54 ns1 named[6635]: zone 127.in-addr.arpa/IN: loaded serial 1
May 10 01:24:54 ns1 named[6635]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2013092346
May 10 01:24:54 ns1 named[6635]: zone 255.in-addr.arpa/IN: loaded serial 1
May 10 01:24:54 ns1 named[6635]: zone localhost/IN: loaded serial 2
May 10 01:24:54 ns1 named[6635]: zone example.com/IN: loaded serial 2013092573
May 10 01:24:54 ns1 named[6635]: managed-keys-zone ./IN: loaded serial 59
May 10 01:24:54 ns1 named[6635]: zone example.com/IN: sending notifies (serial 2013092573)
May 10 01:24:54 ns1 named[6635]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2013092346)
May 10 01:24:54 ns1 named[6635]: running

All machines are virtual and use Ubuntu Server 12.04.

The Problem

My expectation is when the client requests an IP address on the private network that 'dhcp1' will update 'ns1' on the corresponding private interface (i.e., '192.168.10.131'). I am also expecting 'dhcp1' to update 'ns1' on public interface '192.168.0.131' when the client requests an IP address on that network. Although the reverse zone updates occur on the respective interfaces, 'dhcp1' always initiates the forward zone updates of both networks to the name server's public interface (i.e., '192.168.0.131).

Am I doing something wrong, is this a bug in isc-dhcp-server, a feature, etc? If I haven't provided enough specific information please let me know. Web searches regarding a multi-homed approach using isc-dhcp-server and bind9 have not returned much for me.

Any information you can provide in appreciated. Thank you.

Answer 1

It seems zones must be unique within the configuration.

I couldn't find this in the dhcpd.conf man pages but digging through the code and toying with the configuration gives an idea of the server implementation:

• The 'dhcpd' parsing code reaches the first "example.com." zone located in the '192.168.10.0' subnet of 'dhcpd.conf' and adds the information (including primary nameserver) to a hash map, using the zone name as the key.
• Later, parsing reaches the second "example.com." zone located in the 192.168.0.0 subnet. At this point, the existing "example.com." hash map zone data is replaced with the new information, including the primary nameserver. Because the reverse zones are unique, each is added to the map.
• Once the DHCP server needs to update forward zone information for either subnet, the updates are sent to the primary nameserver of the last-parsed subnet- in this case DNS server 192.168.0.131.

Rearranging the subnet information in the configuration file seems to confirm this as all forward zone updates were then sent to 192.168.10.131. Therefore, my setup may require a separate dhcpd daemon for each interface as I did for named. I am still curious if this multi-homed approach for high-availability networking is common, and if I am going about it correctly. Even though my question seems to be answered, any advice is welcomed.