LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Bind dns server - have to restart it all the time (http://www.linuxquestions.org/questions/linux-server-73/bind-dns-server-have-to-restart-it-all-the-time-894732/)

enzym 07-31-2011 03:52 AM

Bind dns server - have to restart it all the time
 
Hi! I run a Fedora 15 server with dhcp and dns (dhcpd and named), and it works fine, but I have to restart bind all the time since it stops resolving for dns clients. Anyone got any bright ideas? Where do I start looking? In the logs? What do I look for? (There is tons and tons of lines in the logs...)

Regards,

Tom

kbp 07-31-2011 08:09 AM

Try these:

service named status
tailf /var/log/messages
rndc querylog
tailf /var/log/audit/audit.log

Is selinux in enforcing mode?

enzym 07-31-2011 03:34 PM

Quote:

Originally Posted by kbp (Post 4429895)
Try these:

service named status
tailf /var/log/messages
rndc querylog
tailf /var/log/audit/audit.log

Is selinux in enforcing mode?

Thanks, the status is that it is running, as far as I can see..

Tried the other commands, but I really do not know what I should look for. Selinux is in targeted mode, according to the file.

kbp 07-31-2011 05:36 PM

Bind (named) will usually log errors to /var/log/messages so check there first, with selinux enabled it's possible to have files that bind isn't permitted to access (mislabelled) - but considering that you mentioned it dies after a while selinux is not likely to be the issue.
If you can't find any related errors you may have to resort to a debugger, do you have any experience with debugging?

enzym 07-31-2011 11:54 PM

Quote:

Originally Posted by kbp (Post 4430177)
Bind (named) will usually log errors to /var/log/messages so check there first, with selinux enabled it's possible to have files that bind isn't permitted to access (mislabelled) - but considering that you mentioned it dies after a while selinux is not likely to be the issue.
If you can't find any related errors you may have to resort to a debugger, do you have any experience with debugging?

Now it has died again, and I restarted it, but before doing anything else i checked the messages log.
It says among other things that the connection was refused by 192.168.0.1#53 (gateway) trying to look up an address.
Come to think of it, the gateway is configured to be the third of the dns servers to query externally.

Can try to remove it, and see if the problem persists, but it is strange if that is the cause of bind to stop trying other addresses.
I am pretty new to using linux, have tried other distributions before, like Mandriva and Ubuntu (and a few others), but never really tried to
configure it as a home server with DHCP, DNS, FTP, WWW, Mailserver with exchange functionality and more..
Have gotten pretty far with this now (pretty proud of myself, and google of course, which is a priceless friend for things like these).
Had 2008 Server R2 before replacing with Fedora 15. My GOD it is a system resource hogger, and not at all easy to configure either if you want MS Exchange on it..

But no, I am not pretty good at debugging, except from trial and error, and debugging Visual Basic code.. ;)

enzym 08-01-2011 12:02 AM

Aug 1 06:59:13 server named[23285]: validating @0xb4f33028: www.vg.no.dlv.isc.org DLV: bad cache hit (no.dlv.isc.org/DS)
Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no.dlv.isc.org/DLV/IN': 8.8.8.8#53
Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no/A/IN': 193.213.112.4#53

The latest lines from the messages file, it stopped yet again! How annoying...

enzym 08-02-2011 02:37 AM

Does anyone know if the broken trust chain error is a bug in Bind? Tried to google it, and it seems that might be the case.. ?

kbp 08-02-2011 02:49 AM

Have a read of this one, maybe you could try :-

Quote:

If you use Fedora 13 then remove the "dnssec-lookaside ..." line and add this
to your options {} section:

dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
... ?

enzym 08-02-2011 02:05 PM

Quote:

Originally Posted by kbp (Post 4431391)
Have a read of this one, maybe you could try :-



... ?


Here is my bind config file, as it was, I have only removed the 192.168.0.1 from the forwarders section (Gateway). And altered the domain to Mydomainname for this forum post.
As far as I can see, the dnssec is already there, and the key file is on that location specified... :/ .. ?

acl Mydomainname {
any;
};
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 {
127.0.0.1;192.168.0.0/24;
};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localnets;192.168.0.0/24; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
forwarders {
193.213.112.4;
130.67.15.198;
8.8.8.8;
};
allow-recursion {
192.168.0.0/24;localhost;127.0.0.1;
};
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "mydomainname" {
type master;
file "/var/named/mydomainname.hosts";
};

kbp 08-02-2011 07:29 PM

Can you provide the output of 'ls -lZ /etc/named.iscdlv.key' ?

enzym 08-03-2011 12:49 PM

Quote:

Originally Posted by kbp (Post 4432098)
Can you provide the output of 'ls -lZ /etc/named.iscdlv.key' ?

Here is the entire contents of the file:

/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";

# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};


The command you mentioned, outputs this :

[root@server etc]# ls -lZ /etc/named.iscdlv.key
-rw-r--r-- root named ? /etc/named.iscdlv.key

Which isn't a whole lot....

kbp 08-03-2011 06:13 PM

Hmmm .. can you 'grep named /var/log/audit/audit.log' ?

enzym 08-03-2011 11:47 PM

Quote:

Originally Posted by kbp (Post 4433054)
Hmmm .. can you 'grep named /var/log/audit/audit.log' ?

Sure -

[root@server enzym]# grep named /var/log/audit/audit.log
type=SERVICE_START msg=audit(1312349053.379:30756): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1312349053.379:30757): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312349053.644:30758): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312397372.359:37658): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1312397372.359:37659): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312397372.636:37660): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'

kbp 08-04-2011 08:15 AM

As per the bug referenced earlier, please test your upstream servers to see if they support RRSIG records

Code:

dig @193.213.112.4 dlv.isc.org SOA +dnssec
dig @130.67.15.198 dlv.isc.org SOA +dnssec
dig @8.8.8.8 dlv.isc.org SOA +dnssec


enzym 08-04-2011 12:12 PM

Quote:

Originally Posted by kbp (Post 4433579)
As per the bug referenced earlier, please test your upstream servers to see if they support RRSIG records

Code:

dig @193.213.112.4 dlv.isc.org SOA +dnssec
dig @130.67.15.198 dlv.isc.org SOA +dnssec
dig @8.8.8.8 dlv.isc.org SOA +dnssec



[root@server enzym]# dig @193.213.112.4 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @193.213.112.4 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600

;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 80382 IN A 199.254.63.254

;; Query time: 251 msec
;; SERVER: 193.213.112.4#53(193.213.112.4)
;; WHEN: Thu Aug 4 19:11:17 2011
;; MSG SIZE rcvd: 221

***

[root@server enzym]# dig @130.67.15.198 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @130.67.15.198 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53101
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600

;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info.
dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 77489 IN A 199.254.63.254

;; Query time: 57 msec
;; SERVER: 130.67.15.198#53(130.67.15.198)
;; WHEN: Thu Aug 4 19:11:56 2011
;; MSG SIZE rcvd: 221

***

[root@server enzym]# dig @8.8.8.8 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @8.8.8.8 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59184
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600
dlv.isc.org. 3600 IN RRSIG SOA 5 3 3600 20110903143004 20110804143004 64263 dlv.isc.org. aHbPciR2qMZGc9T99kuN3hMHk3fr4hGcGbSkuxt/rNuz02kimv4Sybzj oxNJN86rPcvPXfGncLFUTKJGoNei5EYAG6LdamB1hGamyihH+8C5cu+D MW5x+zLbD2fwLmSd1MiQXUjVBNArsue6ELeQCSnxTnrjgs+4pQgCAR6r f8Q=

;; Query time: 81 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 4 19:12:33 2011
;; MSG SIZE rcvd: 265


All times are GMT -5. The time now is 11:21 AM.