[SOLVED] Evertyhing indicates that bind sec. dns is working but it is not!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Evertyhing indicates that bind sec. dns is working but it is not!
Hi all,
I had this strange and quite stressy situation today. I change something in the config of the NS1 (primary nameserver) and because of that BIND9 went down. Seemed that, unfortunately, the sec. NS, NS2, did not took over.
When I first did /etc/init.d/bind9 reload I got this error:
Code:
Stopping named: rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
[FAILED]
I was able to fix this. I guess I was because now the error has gone. I found the solution on some blog (I remember it has something to do with 'pkill lwresd' and restart bind a couple times.
Anyway, to test the NS1, on my local computer I set up the NS1 as primary and only nameserver. This works fine to test NSs.
This way I can surf the internet and ping the domains that are on the nameserver.
Now when I do the same with my NS2 I can't do nothing. Cannot ping to anything, surf of course works neither.
But from my server ifself, NS2, I can ping everything. Every NSlookup is done via an external nameserver thus logical.
Furthermore everything looks normal on the NS2. No errors, I can change, add, delete, apply, restart, reload without any problem.
I was thinking it had something to do with the rndc key (signing) maybe...
Now when I do the same with my NS2 I can't do nothing. Cannot ping to anything, surf of course works neither.
But from my server ifself, NS2, I can ping everything.
I guess you mean that NS2 itself can resolve everything.
Are you sure that your box can access NS2? Or NS2 is not configured to deny recursion. Without config files we can only speculate
Quote:
Every NSlookup is done via an external nameserver thus logical.
What you mean by that? Again we need the config file(s) in order to help further.
I guess you mean that NS2 itself can resolve everything.
Are you sure that your box can access NS2? Or NS2 is not configured to deny recursion. Without config files we can only speculate
What you mean by that? Again we need the config file(s) in order to help further.
Regards
Thanks for your reply.
Quote:
But from my server ifself, NS2, I can ping everything; Every NSlookup is done via an external nameserver thus logical.
I meant that when I log onto the server(NS2) via ssh and for example do "ping google.com" this works. When in my windows, I set the prim. nameserver to NS2 "ping google.com" gives me a time-out.
In the attachment I added named.conf, named.conf.local and another file. If you need anything else, let me know!
I meant that when I log onto the server(NS2) via ssh and for example do "ping google.com" this works. When in my windows, I set the prim. nameserver to NS2 "ping google.com" gives me a time-out.
Can NS2 resolve any of the domains it's supposed to be slave dns? Because I'm getting a SERVFAIL for a couple of domains I've tested.
Anyway the only suspicious thing I've found is
Quote:
listen-on-v6 { any; };
in named.conf.options. Either comment it out, or add:
Code:
listen-on { any; };
so it listens also on the IPv4 address.
Re: the rndc command, there is no rndc-key in any of the files you've attached, nor an include statement to a file containing the rndc-key
Can NS2 resolve any of the domains it's supposed to be slave dns? Because I'm getting a SERVFAIL for a couple of domains I've tested.
Anyway the only suspicious thing I've found is
in named.conf.options. Either comment it out, or add:
Code:
listen-on { any; };
so it listens also on the IPv4 address.
Re: the rndc command, there is no rndc-key in any of the files you've attached, nor an include statement to a file containing the rndc-key
No, from outside it can't resolve anything. Frim 'inside' on the server (ssh) it can resolve everything.
I will change that.
There is a rndc.key file, should I mention the location somewhere?
Thx
Hi I believe I did everything I could, generated a new rndc key, triple checked all the settings etc.
Next I initiated a sync between the NS1 and NS2 and the updates where fetched from the NS1. So the communication between those is okay.
Unfortunately when I do a reload I get this error again:
Code:
Andrea58:/etc# rndc reload
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
Same with the restart
Code:
Andrea58:/etc# /etc/init.d/bind9 restart
Stopping domain name service...: bind9rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
.
Starting domain name service...: bind9.
Andrea58:/etc#
Eventually it's the purpose to have a working NS2 to rely on.
For the moment it is still the problem when I choose the NS2 as my nameserver in windows it cannot resolve anything, not even the domains hosted on the server.
I saw that the time is not the same on both the servers. Could that be a reason?
Of course I cannot just manually adjust the time on both servers at the very same time. How should it be done?
Code:
10-Sep-2010 15:19:36.871 zone mitsubishiservice.be/IN: refresh: could not set file modification time of '/etc/bind/mitsubishiservice.be.hosts': permission denied
I saw that the time is not the same on both the servers. Could that be a reason?
Of course I cannot just manually adjust the time on both servers at the very same time. How should it be done?
Code:
Yes, the clocks must be synchronized. You can use ntpdate to synchronize them using a time server in your country:
Code:
/usr/sbin/ntpdate -s be.pool.ntp.org
Regarding rndc, post /etc/rndc.conf and the part of /etc/named.conf where you define rndc.
The good news are that now I can resolve your domains using NS2, so I guess you somehow fixed it. I guess it was the IPv6 only protocol.
Regards
Last edited by bathory; 09-10-2010 at 12:22 PM.
Reason: added ntp details
Thanks for your help! Indeed I can now resolve domains that are on the server (but only domains on the servers, no others). This one is solved in other words. Thanks again
Indeed I can now resolve domains that are on the server (but only domains on the servers, no others).
For NS2 to be able to resolve any domain, make sure the hint zone "." file (/etc/bind/db.cache) exists and can be read by named.
And since your main problem is answered, you can mark the thread "Solved"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.