Yum Update On BIND Killed It

neoform · 07-09-2009, 12:32 AM

I just ran a yum update that bumped BIND up to version 30:9.3.4-10.P1.el5_3.1 and immediately afterwards I noticed BIND wasn't working anymore. I tried starting/restarting it but it keeps failing without really giving an error.

Code:

[root@ns1 run]# service named start
Starting named: 
Error in named configuration:
zone xxx.com/IN: loaded serial 2009051401
zone xxx.com/IN: loaded serial 2009061500
zone xxx.net/IN: loaded serial 2009051301
zone xxx.com/IN: loaded serial 2009051400
zone xxx.com/IN: loaded serial 2009051401
zone xxx.com/IN: loaded serial 2009051400
zone xxx.com/IN: loaded serial 2009051400
zone xxx.net/IN: loaded serial 2009051400
zone xxx.com/IN: loaded serial 2009051401
zone xxx.com/IN: loaded serial 2009051401
zone xxx.net/IN: loaded serial 2009051401
zone xxx.org/IN: loaded serial 2009051401
dns_master_load: xxx.org.db:25: mail.xxx.org: CNAME and other data
zone xxx.org/IN: loading master file xxx.org.db: CNAME and other data
_default/xxx.org/IN: CNAME and other data
zone xxx.ca/IN: loaded serial 2009051502
zone xxx.ca/IN: loaded serial 2009051401
zone xxx.ca/IN: loaded serial 2009051400
zone xxx.ca/IN: loaded serial 2009051300
zone xxx.ca/IN: loaded serial 2009051401
zone xxx.ca/IN: loaded serial 2009051400
zone xxx.ca/IN: loaded serial 2009051400
zone xxx.ca/IN: loaded serial 2009051400
zone xxx.ca/IN: loaded serial 2009051400
                                                           [FAILED]

When I run: named-checkconf /etc/named.conf I get no errors. What's the deal..? :S

bathory · 07-09-2009, 02:17 AM

Quote:

zone xxx.com/IN: loaded serial 2009051401
zone xxx.com/IN: loaded serial 2009061500
...

How comes a zone is loaded with 2 different serials? Or they are different zones?
And the "-z" option in named-checkconf and If you're running named chrooted use this:

Code:

named-checkconf -z -t /path/to/chroot/named

neoform · 07-09-2009, 07:08 AM

I renamed all the zones (i didn't really wanna publish my full domain list..

[root@ns1 ~]# named-checkconf -z -t /path/to/chroot/named

isc_dir_chroot: file not found

bathory · 07-09-2009, 07:21 AM

First you must review your installation, to see if bind runs chrooted. Usually it does.
Then you should replace /path/to/chroot/named with the actual chroot path. If you don't know it, check the named startup file.
If it isn't running chrooted use just "named-checkconf -z"

neoform · 07-09-2009, 07:28 AM

I don't believe I am running it chrooted (then again I'm not entirely sure how to check).

Also, when I run "named-checkconf -z" I get the same list of very nondescript 'errors'(?) as I pasted above in the OP. :S

bathory · 07-09-2009, 07:36 AM

Could you post the offending zone file?
Or use named-checkzone to check it yourself.

neoform · 07-09-2009, 08:11 AM

Code:

$TTL 3600

@       IN      SOA     @      root (
                        2009051400      ; serial number YYMMDDNN
                        2H              ; refresh
                        10M             ; retry
                        14D              ; expiry
                        1H)              ; minimum


        NS      ns1.mynameserver.com.
        NS      ns2.mynameserver.com.
        NS      ns3.mynameserver.com.

        A       45.228.129.156
www     A       45.228.129.156

error on that file is:

Code:

[root@ns1 ~]# named-checkconf /var/named/xxx.net.db
/var/named/xxx.net.db:1: unknown option '$TTL'
/var/named/xxx.net.db:4: unknown option 'serial'
/var/named/xxx.net.db:5: unknown option 'refresh'
/var/named/xxx.net.db:6: unknown option 'retry'
/var/named/xxx.net.db:7: unknown option 'expiry'
/var/named/xxx.net.db:8: unknown option 'minimum'
/var/named/xxx.net.db:21: unexpected token near end of file

bathory · 07-09-2009, 08:29 AM

The zone file you've posted does not have any CNAME. The offending zone file is xxx.org.db according to your 1st post. I guess you have used a CNAME without an A record for the real hostname.
Anyway the named-checkzone command is used like this:

Code:

named-checkzone -d -D xxx.org /path/to/zonefile/xxx.org.db

Replace the /path/to/zonefile with the real path.

neoform · 07-09-2009, 08:40 AM

I do have zones with CNAMES without an A record, but that's cause I use google for my mail..

Code:

$TTL 3600

@       IN      SOA     ns1.mydomain.com.      neoform (
                        2009051401       ; serial number YYMMDDNN
                        60M              ; refresh
                        10M              ; retry
                        14D              ; expiry
                        1H)              ; minimum

        NS      ns1.mydomain.com.
        NS      ns2.mydomain.com.
        NS      ns3.mydomain.com.

        MX      10      ASPMX.L.GOOGLE.COM.
        MX      20      ALT1.ASPMX.L.GOOGLE.COM.
        MX      20      ALT2.ASPMX.L.GOOGLE.COM.
        MX      30      ASPMX2.GOOGLEMAIL.COM.
        MX      30      ASPMX3.GOOGLEMAIL.COM.
        MX      30      ASPMX4.GOOGLEMAIL.COM.
        MX      30      ASPMX5.GOOGLEMAIL.COM.

        A       45.234.23.123
ns1     A       45.234.23.121
ns2     A       45.234.23.122
ns3     A       45.234.23.123
www     A       45.234.23.123
mail    CNAME   ghs.google.com.

45.234.23.121  PTR     mydomain.com.
45.234.23.122  PTR     ns2.mydomain.com.

neoform · 07-09-2009, 08:43 AM

Quote:

Originally Posted by bathory

The zone file you've posted does not have any CNAME. The offending zone file is xxx.org.db according to your 1st post. I guess you have used a CNAME without an A record for the real hostname.
Anyway the named-checkzone command is used like this:

Code:

named-checkzone -d -D xxx.org /path/to/zonefile/xxx.org.db

Replace the /path/to/zonefile with the real path.

This is what I get.. (same 'error'.. bleh)

Code:

[root@ns1 ~]# named-checkzone -d -D xxx.org /var/named/xxx.org.db
loading "xxx.org" from "/var/named/xxx.org.db" class "IN"
dns_master_load: /var/named/xxx.org.db:25: mail.xxx.org: CNAME and other data
zone xxx.org/IN: loading master file /var/named/xxx.org.db: CNAME and other data

bathory · 07-09-2009, 08:50 AM

Quote:

mail CNAME ghs.google.com.

You don't need that, but if you think it's necessary use the A record for ghs.google.com.

Code:

mail IN A 74.125.43.121

Note also that the PTR records don't have to be in the forward zone. You need to add a reverse zone for your IPs

neoform · 07-09-2009, 09:24 AM

Are you sure this is the actual problem? The version of BIND I was running before had no qualms with my configuration at all and this update was a very small version increase..

neoform · 07-09-2009, 09:42 AM

Wow, that's really weird.. I moved the CNAME record below the A records in that zone and BIND started up properly.....

I wasn't aware CNAME records had to come after A records.. :S