Setting up bind and named

trebek · 11-28-2006, 04:47 PM

Hey, i got an emergency.

I am trying to install named. So far, i can perform the start on named, but it fails. It gives me some 'no ttl so using TAO' error message. And guess what, all .dns files in /var/named are flashing red, and when trying to more them, i get no such file error. I have read like 20 sites explaining how to set up named, but i just don't understand how to install it.

PLEASE HELP!!!!!! Really.

Ok, i copied named.conf back to /etc and the rest of files to /var/named. There's still one missing, called rndc.key. I perform the command 'service named start', and the command line just jumps to a new one, does nothing. I suppose the rndc.key is needed to start named.

Help dudes!!!!!!!!!

chort · 11-28-2006, 05:27 PM

I think "flashing red files" usually means "missing target of a symlink", but I really don't know how it's set up on any particular OS...

Any way, why were you moving files around to begin with? There's really no way to tell you what's wrong if you don't tell us every step you took to install named in the first place.

If you had read some of the man pages, you may have noticed that rndc is the control program that interfaces with named and that you need to generate a pre-shared key that rndc will use to authenticate commands to named. On some platforms you can spit out a default configuration with:
$ rndc-confgen

If my memory serves me, you need a copy of rndc.key in both /etc and /var/named/etc, since named typically chroots itself into /var/named, thus it wouldn't be able to lookup the rndc.key from the "real" /etc after it's chrooted.

trebek · 11-28-2006, 05:40 PM

Named was already working. And i don't remember deleting nothing. I do remember moving the zone files and named.conf from another server, but that's it.

Is there a way to rebuild this rndc.key file?

I downloaded the source and performed the ./configure, make and make install commands. Modified the files accordingly to my configuration, and performed the ./named command in /usr/local/sbin as i read in the manual. But rndc.key never came back. It is still flashing, as if it was missing.

chort · 11-28-2006, 06:23 PM

Errr... well if you moved a named.conf from another server to this one, there's a very good chance that the directory prefix was different, or that it referenced files that don't exist on the system you just setup. Like I said before, if you have "flashing red files" that usually means they're symlinks, which are just pointers to files located somewhere else. If the files they point at were deleted, sure your symlinks might still be there in the proper directories, but they're worthless without the actual files.

If your named.conf file is referencing an rndc key you can just copy that and use it as your rndc.key file. Like I said, you need to read the man page for rndc, rndc.conf, etc. Everything is explained.

trebek · 11-28-2006, 10:11 PM

It could be that my machine is caching some kind of info, but it appears to work. Nonetheless, rndc.key is still missing (flashing). I restarted my machine and put the new DNS ip on 2 windows computers and my linux fedora installation. Apparently it is working.

It's a good thing, but i still have to get that rndc.key file right.

I'll be sure to be posting back cause i don't think this is the end of this story, i will definitely have some more questions later. But hey chort, you seem to know your way around all these things, thanks a bunch man.

trebek · 11-30-2006, 02:17 PM

Hey chort, i need your help again man. I moved the server and now named is not starting. The same problem. How can i get my rndc.key back to where it was? I swear i didn't move any files rather than the .dns files on /var/named from the other DNS to the new one, and it's corresponding /etc/named.conf file too. rndc.key controls named, so i am f..... if i don't have it. It is still blinking.

Hey, i read about the rndc command, and i can perform a 'rndc-confgen -a'. This will create an automatic rndc.key configuration; the problem is that when i run it, i get a 'unable to create /etc/rndc.key' error message. Is this fixable??? Or should i start reinstalling linux?

Ok, here's what i've done to try and correct the problem. /etc/rndc.key was a symbolic link. It was flashing because /var/named/chroot/etc/rndc.key did not exist. So i created the directory and the file, and it stopped blinking. After that, i typed it 'rndc-confgen -a'. It did run and created a new rndc.key. So i copied over this file to /etc. I thought this would work, but named is still not starting.

Whatta you think i should do?

FORGET ALL THIS, i just reinstalled and copied files again. But here's the error i am getting when starting named:

Code:

Stopping named:                                            [FAILED]
Starting named:
Error in named configuration:
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 210.168.192.in-addr.arpa/IN: loaded serial 1997022700
badlands.dns:5: no TTL specified; using SOA MINTTL instead
dns_master_load: badlands.dns:16: $TTL 2196900608 > MAXTTL, setting $TTL to 0
badlands.dns:17: TTL set to prior TTL (0)
zone badlands.co.cr/IN: loaded serial 17
badlandscasino.dns:6: no TTL specified; using SOA MINTTL instead
dns_master_load: badlandscasino.dns:17: $TTL 2196900608 > MAXTTL, setting $TTL to 0
badlandscasino.dns:18: TTL set to prior TTL (0)
zone badlandscasino.co.cr/IN: loaded serial 14
zone lucheafar.co.cr/IN: loading master file lucheafar.dns: file not found
_default/lucheafar.co.cr/IN: file not found
massmail.dns:5: no TTL specified; using SOA MINTTL instead
zone massmail.co.cr/IN: loaded serial 10

Where's the problem?

chort · 11-30-2006, 06:56 PM

There's nothing in those warnings that would indicate why named isn't starting, but your zone files are a mess! You have really weird TTLs, and your serial numbers don't follow the YYYYmmddnn format (not required, but highly suggested). Also, the zone file for lucheafar.co.cr is missing. Are there any other named-related warnings/errors in /var/log/messages or /var/log/syslog?

Do you have the same rndc.key in /etc and /var/named/chroot/etc? If there's a symlink in /etc then all you need to do is put the right file in /var/named/chroot/etc. From your description it sounds like you might have overwritten the symlink in /etc with the output of rndc-confgen -a as a file. Either copy the file to both locations, or leave the symlink in /etc alone (make sure it really is a symlink) and just put the file in /var/named/chroot/etc. Also you need to make sure there's a matching section in /var/named/chroot/etc/named.conf (or wherever your named.conf is).

This is the bit you need to have in named.conf (make sure to use the same key as your rndc.key, do not copy this one):

Code:

# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
      algorithm hmac-md5;
      secret "iAombR2E4Dt6azvWihnruw==";
};

controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};

Remember: If named is chroot'ing itself, the zone files need to be inside the chroot area. You should carefully review your named.conf to make sure the path to each file is correct for being inside the chroot'ed directory.

trebek · 12-04-2006, 02:15 PM

Ok, i managed to fix it up a little bit. /etc/named.conf and the zone files in /var/named (*.dns files). Now, the server keeps working for a couple of days, and then, all of a sudden, it stops resolving. I don't have syslog in /var/log, but messages does not tell me what's going on. I'll check the logs again just in case and post them here.

Ok, here's what happens. It is happening right now. Somehow, it works internally, but stops resolving for addresses outside. When using nslookup, internally, it shows the correct address for every single site that we have, but when going to addresses outside, it works like 10% of the times, and most of the times i get this error: ';; connection timed out; no servers could be reached'. /var/log/messages is not gathering any information about the current stop or slow down of named. Where is it putting the log messages?

Another thing i just did to verify what i just explained. I put two DNS entries on my network config, and internally, everything resolves to the new server, but when going outside, it resolves with the old server. I restarted the new server, and it is fixed, for the moment of course. I guess some service stops working that's required by named to work outside. I really don't know what's happening.

I got these lines on /var/log/messages, perhaps it'll clear up what's going on:

Code:

Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 last message repeated 2 times
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 last message repeated 2 times
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { getpwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd 
Dec  4 15:25:39 penguin2 nscd: Can't send to audit system: USER_AVC pid=24171 uid=28 loginuid=-1 message=avc:  denied  { shmempwd } for  scontext=system_u:system_r:udev_t tcontext=root:system_r:initrc_t tclass=nscd

So, the real question is: why is the new server not forwarding or responding when looking for things outside? Is is so hard to set up named to work? Or is it just me?