A support customer reported a discrepancy in the behaviour of 'ddns-guard-id-must-match' option in 4.4.1 compared to what is documented. Description of the issue follows: ISC dhcpd version 4.4.1 introduced a new option called 'ddns-guard-id-must-match' to enable DDNS conflict resolution. This option enables or disables the requirement that a guard record’s data value must match the client ID requesting the update. In other words, the mere presence of the guard record indicates a dynamic entry which may be updated. This permits dynamic clients to overwrite each other’s entries while protecting static entries. Documented Behaviour: When ddns-guard-id-must-match is off , it will contain a prerequisite that the guard record exists followed by record updates to first delete the existing address and guard and then add the new address and guard. ADD2-ID-OFF (ddns-guard-id-must-match off): prereq yxrrset #guard must exist update delete #delete existing address record udpate delete #delete existing guard record udpate add
#add the new address record update add # add new guard record Behaviour in test environment: Behaviour seems to be different than what's been documented for option 'ddns-guard-id-must-match' set to 'false'. Essentially, I am trying to simulate the roaming clients when a client moves from wired to wireless networks. For example: when a client is connected to wired network it gets an IP from DHCP and DHCP dynamically updates A and guard record. When the same client is moved to a wireless network (Different MAC address as it uses a wireless network adapter) it gets an IP from DHCP and DHCP removes the existing A record but never deletes the old guard record. It only adds the new A record leaving the old guard record behind. Implications: Since the new A records is added without the corresponding guard record, if this option is enabled afterwards then any DDNS updates from DHCP for an existing client will fail as the guard records doesn't match the client id. Administrator needs to manually delete all the orphaned guard records. Setup: DHCP Server-1 : IP- 192.168.71.12 serving network 192.1689.71.0/24 sending DNS updates to DNS server: 192.168.71.11 DHCP Server-2 : IP- 192.168.72.12 serving network 192.1689.72.0/24 sending DNS updates to DNS server: 192.168.71.11 Client -1: Simulating between the above networks. Client first request IP from 192.168.71.0/24 DHCP- Server-1 logs: Aug 3 19:34:48 ubuntuguest dhcpd: DHCPDISCOVER from 5b:ac:2e:68:78:a1 via 192.168.71.90 Aug 3 19:34:49 ubuntuguest dhcpd: DHCPOFFER on 192.168.71.56 to 5b:ac:2e:68:78:a1 (test10) via 192.168.71.90 Aug 3 19:34:49 ubuntuguest dhcpd: DHCPREQUEST for 192.168.71.56 (192.168.71.11) from 5b:ac:2e:68:78:a1 (test10) via 192.168.71.90 Aug 3 19:34:49 ubuntuguest dhcpd: Wrote 17 leases to leases file. Aug 3 19:34:49 ubuntuguest dhcpd: DHCPACK on 192.168.71.56 to 5b:ac:2e:68:78:a1 (test10) via 192.168.71.90 DNS logs: Aug 3 19:34:57 ns1 named[1733]: client 192.168.71.12#47028: view default: updating zone 'example.com/IN': adding an RR at 'test10.example.com' A 192.168.71.56 Aug 3 19:34:57 ns1 named[1733]: client 192.168.71.12#47028: view default: updating zone 'example.com/IN': adding an RR at 'test10.example.com' TXT "00bfe79b31919fe3fb3e186a9e7f9e3ea2" DHCP- Server-2 logs: Aug 3 19:35:14 ubuntuguest dhcpd: DHCPDISCOVER from cd:8a:2b:13:87:96 via 192.168.72.90 Aug 3 19:35:15 ubuntuguest dhcpd: DHCPOFFER on 192.168.72.47 to cd:8a:2b:13:87:96 (test10) via 192.168.72.90 Aug 3 19:35:15 ubuntuguest dhcpd: DHCPREQUEST for 192.168.72.47 (192.168.72.11) from cd:8a:2b:13:87:96 (test10) via 192.168.72.90 Aug 3 19:35:15 ubuntuguest dhcpd: DHCPACK on 192.168.72.47 to cd:8a:2b:13:87:96 (test10) via 192.168.72.90 DNS logs: 3 19:35:25 ns1 named[1733]: client 192.168.72.12#46948: view default: updating zone 'example.com/IN': update unsuccessful: test10.example.com: 'name not in use' prerequisite not satisfied (YXDOMAIN) Aug 3 19:35:25 ns1 named[1733]: client 192.168.72.12#47235: view default: updating zone 'example.com/IN': deleting rrset at 'test10.example.com' A Aug 3 19:35:25 ns1 named[1733]: client 192.168.72.12#47235: view default: updating zone 'example.com/IN': adding an RR at 'test10.example.com' A 192.168.72.47 Aug 3 19:35:25 ns1 named[1733]: zone example.com/IN/default: sending notifies (serial 552325403) tcpdump captures and dhcp configuration files from both the servers are available attached to support ticket https://support.isc.org/Ticket/Display.html?id=13361