ISC dhcpd and bind9 interactions in Debian <12

tl;dr AppArmor can break DDNS on Debian

Also posted as a comment on ISC’s gitlab. The real solution, of course, is to stop using the now-EOL ISC dhcpd and migrate to Kea, but Kea’s architecture is obviously different from dhcpd’s, so migration of a complex configuration will take time.

If anyone else finds it useful, I’ve discovered that this error is due to incomplete AppArmor profiles in Debian < 12:

Oct 14 14:48:48 firewall dhcpd[1177]: DHCPREQUEST for 192.168.1.123 from xx:xx:xx:xx:xx:xx (clientname) via enp2s0
Oct 14 14:48:48 firewall dhcpd[1177]: data: host_decl_name: not available
Oct 14 14:48:48 firewall dhcpd[1177]: DHCPACK on 192.168.1.123 to xx:xx:xx:xx:xx:xx (clientname) via enp2s0
Oct 14 14:50:57 firewall dhcpd[1177]: DDNS: cleaning up lease pointer for a cancel cb=0x7f21e013af20
Oct 14 14:50:57 firewall dhcpd[1177]: Unable to add forward map from clientname.fqdn to 192.168.1.123: operation canceled

Upgrading Debian’s isc-dhcp-server package to the latest (4.4.3-P1-2) brings in an updated AppArmor profile.

One gotcha: you will need to COPY (not symlink) your bind <–> dhcpd shared keys with this new AppArmor profile!

  # access to bind9 keys for dynamic update
  # It's expected that users will generate one key per zone and have it
  # stored in both /etc/bind9 (for bind to access) and /etc/dhcp/ddns-keys
  # (for dhcpd to access).
  /etc/dhcp/ddns-keys/** r,