Bind dns server - have to restart it all the time
Hi! I run a Fedora 15 server with dhcp and dns (dhcpd and named), and it works fine, but I have to restart bind all the time since it stops resolving for dns clients. Anyone got any bright ideas? Where do I start looking? In the logs? What do I look for? (There is tons and tons of lines in the logs...)
Regards, Tom |
Try these:
service named status tailf /var/log/messages rndc querylog tailf /var/log/audit/audit.log Is selinux in enforcing mode? |
Quote:
Tried the other commands, but I really do not know what I should look for. Selinux is in targeted mode, according to the file. |
Bind (named) will usually log errors to /var/log/messages so check there first, with selinux enabled it's possible to have files that bind isn't permitted to access (mislabelled) - but considering that you mentioned it dies after a while selinux is not likely to be the issue.
If you can't find any related errors you may have to resort to a debugger, do you have any experience with debugging? |
Quote:
It says among other things that the connection was refused by 192.168.0.1#53 (gateway) trying to look up an address. Come to think of it, the gateway is configured to be the third of the dns servers to query externally. Can try to remove it, and see if the problem persists, but it is strange if that is the cause of bind to stop trying other addresses. I am pretty new to using linux, have tried other distributions before, like Mandriva and Ubuntu (and a few others), but never really tried to configure it as a home server with DHCP, DNS, FTP, WWW, Mailserver with exchange functionality and more.. Have gotten pretty far with this now (pretty proud of myself, and google of course, which is a priceless friend for things like these). Had 2008 Server R2 before replacing with Fedora 15. My GOD it is a system resource hogger, and not at all easy to configure either if you want MS Exchange on it.. But no, I am not pretty good at debugging, except from trial and error, and debugging Visual Basic code.. ;) |
Aug 1 06:59:13 server named[23285]: validating @0xb4f33028: www.vg.no.dlv.isc.org DLV: bad cache hit (no.dlv.isc.org/DS)
Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no.dlv.isc.org/DLV/IN': 8.8.8.8#53 Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no/A/IN': 193.213.112.4#53 The latest lines from the messages file, it stopped yet again! How annoying... |
Does anyone know if the broken trust chain error is a bug in Bind? Tried to google it, and it seems that might be the case.. ?
|
Have a read of this one, maybe you could try :-
Quote:
|
Quote:
Here is my bind config file, as it was, I have only removed the 192.168.0.1 from the forwarders section (Gateway). And altered the domain to Mydomainname for this forum post. As far as I can see, the dnssec is already there, and the key file is on that location specified... :/ .. ? acl Mydomainname { any; }; // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1;192.168.0.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localnets;192.168.0.0/24; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; forwarders { 193.213.112.4; 130.67.15.198; 8.8.8.8; }; allow-recursion { 192.168.0.0/24;localhost;127.0.0.1; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "mydomainname" { type master; file "/var/named/mydomainname.hosts"; }; |
Can you provide the output of 'ls -lZ /etc/named.iscdlv.key' ?
|
Quote:
/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */ # The bind.keys file is used to override the built-in DNSSEC trust anchors # which are included as part of BIND 9. As of the current release, the only # trust anchors it contains are those for the DNS root zone ("."), and for # the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors # for any other zones MUST be configured elsewhere; if they are configured # here, they will not be recognized or used by named. # # The built-in trust anchors are provided for convenience of configuration. # They are not activated within named.conf unless specifically switched on. # To use the built-in root key, set "dnssec-validation auto;" in # named.conf options. To use the built-in DLV key, set # "dnssec-lookaside auto;". Without these options being set, # the keys in this file are ignored. # # This file is NOT expected to be user-configured. # # These keys are current as of January 2011. If any key fails to # initialize correctly, it may have expired. In that event you should # replace this file with a current version. The latest version of # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. managed-keys { # ISC DLV: See https://www.isc.org/solutions/dlv for details. # NOTE: This key is activated by setting "dnssec-lookaside auto;" # in named.conf. dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml # for current trust anchor information. # NOTE: This key is activated by setting "dnssec-validation auto;" # in named.conf. . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; The command you mentioned, outputs this : [root@server etc]# ls -lZ /etc/named.iscdlv.key -rw-r--r-- root named ? /etc/named.iscdlv.key Which isn't a whole lot.... |
Hmmm .. can you 'grep named /var/log/audit/audit.log' ?
|
Quote:
[root@server enzym]# grep named /var/log/audit/audit.log type=SERVICE_START msg=audit(1312349053.379:30756): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1312349053.379:30757): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1312349053.644:30758): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1312397372.359:37658): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1312397372.359:37659): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1312397372.636:37660): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' |
As per the bug referenced earlier, please test your upstream servers to see if they support RRSIG records
Code:
dig @193.213.112.4 dlv.isc.org SOA +dnssec |
Quote:
[root@server enzym]# dig @193.213.112.4 dlv.isc.org SOA +dnssec ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @193.213.112.4 dlv.isc.org SOA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39235 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN SOA ;; ANSWER SECTION: dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600 ;; AUTHORITY SECTION: dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org. dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org. dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org. dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info. ;; ADDITIONAL SECTION: ns.isc.afilias-nst.info. 80382 IN A 199.254.63.254 ;; Query time: 251 msec ;; SERVER: 193.213.112.4#53(193.213.112.4) ;; WHEN: Thu Aug 4 19:11:17 2011 ;; MSG SIZE rcvd: 221 *** [root@server enzym]# dig @130.67.15.198 dlv.isc.org SOA +dnssec ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @130.67.15.198 dlv.isc.org SOA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN SOA ;; ANSWER SECTION: dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600 ;; AUTHORITY SECTION: dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org. dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org. dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info. dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org. ;; ADDITIONAL SECTION: ns.isc.afilias-nst.info. 77489 IN A 199.254.63.254 ;; Query time: 57 msec ;; SERVER: 130.67.15.198#53(130.67.15.198) ;; WHEN: Thu Aug 4 19:11:56 2011 ;; MSG SIZE rcvd: 221 *** [root@server enzym]# dig @8.8.8.8 dlv.isc.org SOA +dnssec ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @8.8.8.8 dlv.isc.org SOA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59184 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dlv.isc.org. IN SOA ;; ANSWER SECTION: dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600 dlv.isc.org. 3600 IN RRSIG SOA 5 3 3600 20110903143004 20110804143004 64263 dlv.isc.org. aHbPciR2qMZGc9T99kuN3hMHk3fr4hGcGbSkuxt/rNuz02kimv4Sybzj oxNJN86rPcvPXfGncLFUTKJGoNei5EYAG6LdamB1hGamyihH+8C5cu+D MW5x+zLbD2fwLmSd1MiQXUjVBNArsue6ELeQCSnxTnrjgs+4pQgCAR6r f8Q= ;; Query time: 81 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 4 19:12:33 2011 ;; MSG SIZE rcvd: 265 |
All times are GMT -5. The time now is 10:37 AM. |