Create a DHCP reverse zone for reverse DHCP zone declarations to configure TSIG or GSS-TSIG signing of Dynamic DNS updates.
To add a DHCP reverse zone:
- From the configuration drop-down menu, select a configuration.
- Select the IP Space tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
- Click the DHCP Settings tab. Under DHCP Zone Groups, click a DHCP zone group.
- Click the DHCP Zone Declarations tab. Under Reverse Zones, click New.
Under General, select an IP block or network from an
Address Manager-managed server, or provide the fully-qualified
domain name for a reverse zone not managed by Address Manager:
Note: If the Third Party field is selected for IPv6 blocks and networks, the Sign DDNS Updates options won't be supported even though the checkbox is still available for selection. Address Manager returns an error.
- For an IPv4 block or network located on an Address Manager-managed DHCP server, select IPv4 Block or IPv4 Network first at the top of the section. Select Under Address Manager Control and select a block or network from the Select Block Or Network drop-down menu. To filter the list of blocks and networks, type the first few numbers of the block or network range and the existing blocks or networks will be populated.
- For an IPv6 block or network located on an Address Manager-managed DHCPv6 server, select IPv6 Block or
IPv6 Network first at the top of the
Select Under Address Manager Control and type, or copy and paste the existing IPv6 block or network in the Select Block Or Network field.
- For a reverse zone located on a server not managed by Address Manager, select Third Party and type a fully qualified domain name in the Zone Name field.
- In the Primary DNS Server IP Address field, enter the IPv4 address for the reverse zone’s primary DNS server.
In the Secondary DNS Server IP Address field, enter the
IPv4 address for the zone’s secondary DNS server.
Note: The primary and secondary fields refer to the Windows DNS Server definition of primary/secondary servers (two read/write servers), not the standard primary/secondary architecture of the DNS protocol (where primary is read/write and the secondary is read-only). When adding a forward DHCP zone to non-Windows DNS servers in a standard primary-secondary relationship, fill out only the Primary DNS Server IP Address field. The Secondary DNS Server IP Address field is only for Windows DNS Server configurations, where both servers are read/write.Note: DHCPv6 server can only communicate with a DNS server over IPv4 for DDNS updates.
To sign DDNS updates for the reverse zone, select the Sign DDNS
Updates check box and do one of the following:
Note: The Sign DDNS Updates check box is available for only IPv4 blocks and networks because of the DHCPv6 limitation communicating with a DNS server only through IPv4 for DDNS updates.
Note: Only TSIG keys created with the hmac-md5 algorithm can be used to sign Dynamic DNS updates for forward and reverse DHCP zones.
- To sign DDNS updates with a TSIG key, select Using TSIG, then select a TSIG key from the Key drop-down menu.
- To sign DDNS updates with GSS-TSIG, select Using GSS-TSIG. For more information, refer to Configuring GSS-TSIG.
- Under Change Control, add comments, if required.
Note: IPv6 reverse zone declarations are deployed only with DHCPv6 service deployment.