PDA

View Full Version : Bind and RNDC pls pls help :)



hookooekoo
4th June 2004, 04:35 AM
Hi all, any help would be greatly appreciated.

I have setup a perfectly working DNS server on Red Hat 9, but I am not as lucky with a chroot-bind on Fedora. The problem I am having is with the rndc key, and I have had little luck searching for guides and/or answers.

I ran rndc-confgen and got the following,


# Start of rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "q3k3SzpxASgKHCZpG1LeMw==";
};

options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf


# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndckey" {
# algorithm hmac-md5;
# secret "q3k3SzpxASgKHCZpG1LeMw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndckey"; };
# };
# End of named.conf


Here is my rndc.conf



[root@ns3 etc]# cat rndc.conf
options {
default-server localhost;
default-key "rndckey";
};

server localhost {
key "rndckey";
};

include "/var/named/chroot/etc/rndc.key";



Here is my named.conf



[root@ns3 etc]# cat named.conf
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/var/named/chroot/etc/named.custom";

include "/var/named/chroot/etc/rndc.key";

# Use with the following in named.conf, adjusting the allow list as needed:

key "rndckey" {
algorithm hmac-md5;
secret "q3k3SzpxASgKHCZpG1LeMw==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};

zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};


and My rndc.key



[root@ns3 etc]# cat rndc.key
options {
default-server localhost;
default-key "rndckey";
};

server localhost {
key "rndckey";
};

include "/var/named/chroot/etc/rndc.key";


pls help, thx.

hookooekoo
5th June 2004, 05:07 AM
It seems my problem is it is parsing the named and rndc in regular /etc.

How do I get it to parse in /var/named/chroot/etc instead when I restart named? For the chroot.

bradthemad
5th June 2004, 07:24 AM
If you're running bind in a chroot, you need to give the location of the chroot directory in /etc/sysconfig/named:


ROOTDIR=/var/named/chroot

The simplest way to handle the rndc key is to put it in its own file, and include that file in both named.conf and rndc.conf. To avoid confusion between files in /etc and files in /var/named/chroot/etc, make some symlinks:

/etc/named.conf should be a symlink to /var/named/chroot/etc/named.conf.
/etc/rndc.key should be a symlink to /var/named/chroot/etc/rndc.key.
/etc/rndc.conf doesn't involve chroot, so it stays put.

rndc.key should look like this:



key "rndckey" {
algorithm hmac-md5;
secret "q3k3SzpxASgKHCZpG1LeMw==";
};


/etc/rndc.conf should look like this:



options {
default-server localhost;
default-key "rndckey";
};

server localhost {
key "rndckey";
};

// This should be a symlink to the chrooted key file:
include "/etc/rndc.key";


named.conf should look like this:



controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/named.custom";

include "/etc/rndc.key";

zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};

...

hookooekoo
5th June 2004, 07:34 AM
Thanks for the help, I was trying to f igure out how to get it to parse the chroot instead and ending up editing /etc/rc3.d/K45named to get it to work.

I had previoulsy added the c ode to /etc/sysconfig/named and rndc still failed untill I did the above.

Jman
24th June 2004, 02:51 AM
Moved to Servers forum.

hookooekoo
24th June 2004, 07:18 AM
ok, my K45 trick actually caused named look like it starts, but it really does nothing.

So I am back to the rndc problem.

I have never made a symlink before, so I read about it and tried the following.



[root@ns2 etc]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
ln: `/etc/named.conf': File exists


so the symlink already exists? I do an ls -l in /etc and I don't see the symlink.

hookooekoo
24th June 2004, 07:58 AM
Ok I managed to figure out the symlinks



[root@ns2 etc]# ls -l |grep named
lrwxrwxrwx 1 root root 32 Jun 23 11:44 named.conf -> /var/named/chroot/etc/named.conf
lrwxrwxrwx 1 root root 30 Jun 23 11:42 rndc.key -> /var/named/chroot/etc/rndc.key


Here is my rndc.key


key "rndckey" {
algorithm hmac-md5;
secret "jDs5tcv4Apf6rLZQ0dkAVA==";
};


rndc.conf


options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};

server localhost {
key "rndckey";
};

// This should be a symlink to the chrooted key file:
include "/etc/rndc.key";


and named.conf


controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};

include "/etc/named.custom";
include "/etc/rndc.key";

zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};


and the result still



[root@ns2 etc]# /etc/init.d/named restart
Stopping named: rndc: connect failed: connection refused
[FAILED]
Starting named: [ OK ]

bradthemad
24th June 2004, 11:53 AM
Starting named: [ OK ]

What's the problem? If it wasn't running before, the error when stopping it is to be expected, but the above indicates that afterward it did start up okay. Is it running? Does it work?

hookooekoo
24th June 2004, 12:35 PM
Yes but rndc is failing.

Fedora DNS is buggy as hell on install. I yum remove bind then yum install bind and it is fixed now. I guess when you install BIND on the initial install it messes up the rndc key. If you don't install bind in the beginning but yum it after, it doesn't chroot it.

Either way long mess later DNS is now resolving, now to fix the other and slave/master them :\

hookooekoo
25th June 2004, 07:49 AM
Yeah, so wow configuring bind on Fedora has been a pain, made much progress.

It is funny that Chroot bind on Gentoo took like 2 minutes and hardly any config changes, the downside is that gentoo is much tougher to install hehe.

Anyway, I will post what I did when I get a chance so others that want to setup dns or ran into problems can see what I did to get it running.

hookooekoo
25th June 2004, 11:40 AM
Ok, I am stuck again. I started fresh.

When bind first installed, I could restart bind fine, and rndc key would connect. After I moved rndc.key and named.conf to /var/named/chroot/etc rndc.key would refuse. Here is all the info below. I did tell /etc/sysconfig/named to look in jail environment too.

Here are my symlinks



[root@ns2 etc]# ls -l |grep named
lrwxrwxrwx 1 named named 32 Jun 24 17:19 named.conf -> /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1101 Mar 26 03:28 rndc.conf
lrwxrwxrwx 1 root named 30 Jun 24 16:42 rndc.key -> /var/named/chroot/etc/rndc.key


Here are my ownership rights in /var/named/chroot/etc



-rw-r--r-- 1 named named 295 Jun 24 16:53 named.conf
-rw-r----- 1 root named 132 Jun 24 16:36 rndc.key



here is rndc.key



[root@ns2 etc]# cat rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "ngM80uYY0lzBfg9xoMrzX3r78RNQh3mc4ZxN3jAUDkxzT9qwZn Z2C7IRKXsj";
};


rndc.conf



options {
default-server localhost;
default-key "rndckey";
};

server localhost {
key "rndckey";
};

include "/etc/rndc.key";


named.conf



[root@ns2 etc]# cat named.conf
controls {
inet 127.0.0.1
allow { 127.0.0.1; } keys { "rndckey"; };
};

include "/etc/rndc.key";

zone "0.0.127.in-addr.arpa" {
type master;
};
file "0.0.127.in-addr.arpa.zone";


When I restart named, rndc fails, causing named to not work correctly.



Stopping named: rndc: connect failed: connection refused
[FAILED]
Starting named: [ OK ]


WHAT the hell am I missing?

hookooekoo
25th June 2004, 12:22 PM
Here are the log error messages



Jun 25 01:08:21 ns2 named[27720]: starting BIND 9.2.3 -u named -t /var/named/chroot
Jun 25 01:08:21 ns2 named[27720]: using 1 CPU
Jun 25 01:08:21 ns2 named[27720]: loading configuration from '/etc/named.conf'
Jun 25 01:08:21 ns2 named[27720]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 25 01:08:21 ns2 named[27720]: listening on IPv4 interface eth0, 192.0.0.83#53
Jun 25 01:08:21 ns2 named[27720]: command channel listening on 127.0.0.1#953
Jun 25 01:08:21 ns2 named[27720]: command channel listening on ::1#953
Jun 25 01:08:21 ns2 named[27720]: could not open entropy source /dev/random: file not found
Jun 25 01:08:21 ns2 named[27720]: couldn't open pid file '/var/run/named/named.pid': No such file or directory
Jun 25 01:08:21 ns2 named[27720]: exiting (due to early fatal error)
Jun 24 18:08:21 ns2 named: named startup succeeded

hookooekoo
25th June 2004, 02:57 PM
Ok, I got it running, FINALLY.

First of all, DO NOT INSTALL DNS on the initial install of Fedora. If you can get a jailed bind running after that complete with zone files etc, you are a god. If you are a god, I hate you for not helping me resolve the problem, and posting and gloating that you did it.

Anyway, after you get fedora installed install bind-chroot and caching-nameserver.



#yum install bind-chroot
#yum install caching-nameserver


For some reason named.conf and rndc.key are still in /etc. Copy them both to the jailed environment and make a symlink for rndc.key. There is a blank named.conf and rndc.key in the jailed environment, so overwrite them.



#cp /etc/named.conf /var/named/chroot/etc/named.conf
#cp /etc/rndc.key /var/named/chroot/etc/rndc.key
#ln -s /var/named/chroot/etc/rndc.key rndc.key


make sure ownership on named is named:named and rndc.key is root:named

Here is an example of the beginning of my named.conf



controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";


Restart named and it should look like this.


[root@ns2 etc]# /etc/init.d/named restart
Stopping named: [ OK ]
Starting named: [ OK ]


If you get an rndc error, it may still work. But you can help resolv the issue by having two term or ssh windows open. In the one window you can view your error logs with the following command.



[root@ns2 etc]# tail -f /var/log/messages


restart named in your other window and you should see output in the first similar to below.



un 25 03:35:28 ns2 named[28606]: starting BIND 9.2.3 -u named -t /var/named/chroot
Jun 25 03:35:28 ns2 named[28606]: using 1 CPU
Jun 25 03:35:28 ns2 named[28606]: loading configuration from '/etc/named.conf'
Jun 25 03:35:28 ns2 named[28606]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 25 03:35:28 ns2 named[28606]: listening on IPv4 interface eth0, 192.0.0.83#53
Jun 25 03:35:28 ns2 named[28606]: command channel listening on 127.0.0.1#953
Jun 25 03:35:28 ns2 named[28606]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Jun 25 03:35:28 ns2 named[28606]: xxxxxxx.xxx.zone:6: no TTL specified; using SOA MINTTL instead
Jun 25 03:35:28 ns2 named[28606]: zone xxxxxxxx.xxx/IN: loaded serial 38
Jun 25 03:35:28 ns2 named[28606]: zone localhost/IN: loaded serial 42
Jun 25 03:35:28 ns2 named[28606]: running
Jun 25 03:35:28 ns2 named[28606]: zone xxxxxxxx.xxx/IN: sending notifies (serial 38)
Jun 24 20:35:28 ns2 named: named startup succeeded



That was a successfull log, but I used it for when I had error messages to help decipher what is wrong.

Anyway, jail bind is now working hooray! I think that is everything, but my head is ****ing spinning like crazy, so I might of missed something.

Good luck on your jailed bind adventures, and I hope this helps a few out.

Mrdp
2nd July 2004, 05:02 AM
ı not working named. ı have error code


Stopping named: rndc: connect failed: connection refused
[FAILED]
Starting named: [ OK ]


Jul 1 18:35:23 ilaydahosting named: named shutdown failed
Jul 1 15:35:25 ilaydahosting named[2715]: starting BIND 9.2.3 -u named -t /var/named/chroot
Jul 1 15:35:25 ilaydahosting named[2715]: using 1 CPU
Jul 1 15:35:25 ilaydahosting named[2715]: loading configuration from '/etc /named.conf'
Jul 1 15:35:25 ilaydahosting named[2715]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 1 15:35:25 ilaydahosting named[2715]: listening on IPv4 interface eth0 , 10.0.0.33#53
Jul 1 15:35:25 ilaydahosting named[2715]: couldn't add command channel 127 .0.0.1#953: not found
Jul 1 15:35:25 ilaydahosting named[2715]: couldn't add command channel ::1 #953: not found
Jul 1 15:35:25 ilaydahosting named[2715]: running
Jul 1 18:35:26 ilaydahosting named: named startup succeeded
Jul 1 18:45:22 ilaydahosting smbd[2742]: [2004/07/01 18:45:22, 0] lib/util_sock.c:read_socket_data(365)
Jul 1 18:45:22 ilaydahosting smbd[2742]: read_socket_data: recv failure for 4. Error = Connection reset by peer
Jul 1 18:46:56 ilaydahosting smbd[2785]: [2004/07/01 18:46:56, 0] lib/util_sock.c:read_socket_data(365)
Jul 1 18:46:56 ilaydahosting smbd[2785]: read_socket_data: recv failure for 4. Error = Connection reset by peer
Jul 1 18:47:57 ilaydahosting smbd[2834]: [2004/07/01 18:47:57, 0] lib/util_sock.c:read_socket_data(365)
Jul 1 18:47:57 ilaydahosting smbd[2834]: read_socket_data: recv failure for 4. Error = Connection reset by peer
Jul 1 15:54:11 ilaydahosting named[2715]: lame server resolving 'fedoraforum.org.net' (in 'org.NET'?): 205.196.81.2#53
Jul 1 15:54:11 ilaydahosting named[2715]: lame server resolving 'fedoraforum.org.net' (in 'org.NET'?): 205.196.81.3#53
Jul 1 18:57:27 ilaydahosting smbd[2875]: [2004/07/01 18:57:27, 0] lib/util_sock.c:read_socket_data(365)
Jul 1 18:57:27 ilaydahosting smbd[2875]: read_socket_data: recv failure for 4. Error = Connection reset by peer

hookooekoo
3rd July 2004, 04:36 AM
There is a space in your localhost IP



couldn't add command channel 127 .0.0.1#953: not found


so check your named.conf

Make sure you rndc is correct in named.conf, rndc.conf, and rndc.key.

I had an rndc error I could not rectify, I finally just backed up named.conf, and deleted all symlinks, rndc.key, rndc.conf, and named.conf. I removed bind-chroot and caching-nameserver, and reinstalled, and it fixed all rndc problems.

You will get rndc errors if there are any typo's.

vgeorge
25th July 2004, 06:46 AM
in "-> etc/rc.d/init.d/named <-"
remove the "-> ${OPTIONS} <-" in line after start() <-"
"-> daemon /usr/sbin/named -u named ${OPTIONS} <-"
so it will be
"-> daemon /usr/sbin/named -u named <-"

This will make named run without -t paramater as like Red Hat 9


George Vourliotis
Hellas (Greece)

chetshot
3rd April 2005, 06:44 PM
check /var/run/named......permissions on that....thats all yu gotta do!.....enjoy

chetshot
3rd April 2005, 06:49 PM
hi people......finally the rndc bug is out of the stadium......i have found the solution ......
it depends on only the permissions of files and directories...
rndc .conf ........root.named....755
named.conf.......named.named.....755
also if there is errror like ....permission denied on named.pid after running ....named -g -p 53.....then u have to change permissions....of /var/run/named derectory......where the pid resides.....

chetshot
3rd April 2005, 06:49 PM
SOLUTION TO RNDC>>>>>>>>>>>>>>>>>>>>>>>>hi people......finally the rndc bug is out of the stadium......i have found the solution ......
it depends on only the permissions of files and directories...
rndc .conf ........root.named....755
named.conf.......named.named.....755
also if there is errror like ....permission denied on named.pid after running ....named -g -p 53.....then u have to change permissions....of /var/run/named derectory......where the pid resides.....

chetshot
3rd April 2005, 06:51 PM
owner of /var/run/named ...named...group named....755.............