LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-31-2011, 03:52 AM   #1
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Rep: Reputation: Disabled
Bind dns server - have to restart it all the time


Hi! I run a Fedora 15 server with dhcp and dns (dhcpd and named), and it works fine, but I have to restart bind all the time since it stops resolving for dns clients. Anyone got any bright ideas? Where do I start looking? In the logs? What do I look for? (There is tons and tons of lines in the logs...)

Regards,

Tom
 
Old 07-31-2011, 08:09 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Try these:

service named status
tailf /var/log/messages
rndc querylog
tailf /var/log/audit/audit.log

Is selinux in enforcing mode?
 
Old 07-31-2011, 03:34 PM   #3
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Try these:

service named status
tailf /var/log/messages
rndc querylog
tailf /var/log/audit/audit.log

Is selinux in enforcing mode?
Thanks, the status is that it is running, as far as I can see..

Tried the other commands, but I really do not know what I should look for. Selinux is in targeted mode, according to the file.
 
Old 07-31-2011, 05:36 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Bind (named) will usually log errors to /var/log/messages so check there first, with selinux enabled it's possible to have files that bind isn't permitted to access (mislabelled) - but considering that you mentioned it dies after a while selinux is not likely to be the issue.
If you can't find any related errors you may have to resort to a debugger, do you have any experience with debugging?
 
1 members found this post helpful.
Old 07-31-2011, 11:54 PM   #5
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Bind (named) will usually log errors to /var/log/messages so check there first, with selinux enabled it's possible to have files that bind isn't permitted to access (mislabelled) - but considering that you mentioned it dies after a while selinux is not likely to be the issue.
If you can't find any related errors you may have to resort to a debugger, do you have any experience with debugging?
Now it has died again, and I restarted it, but before doing anything else i checked the messages log.
It says among other things that the connection was refused by 192.168.0.1#53 (gateway) trying to look up an address.
Come to think of it, the gateway is configured to be the third of the dns servers to query externally.

Can try to remove it, and see if the problem persists, but it is strange if that is the cause of bind to stop trying other addresses.
I am pretty new to using linux, have tried other distributions before, like Mandriva and Ubuntu (and a few others), but never really tried to
configure it as a home server with DHCP, DNS, FTP, WWW, Mailserver with exchange functionality and more..
Have gotten pretty far with this now (pretty proud of myself, and google of course, which is a priceless friend for things like these).
Had 2008 Server R2 before replacing with Fedora 15. My GOD it is a system resource hogger, and not at all easy to configure either if you want MS Exchange on it..

But no, I am not pretty good at debugging, except from trial and error, and debugging Visual Basic code..
 
Old 08-01-2011, 12:02 AM   #6
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Aug 1 06:59:13 server named[23285]: validating @0xb4f33028: www.vg.no.dlv.isc.org DLV: bad cache hit (no.dlv.isc.org/DS)
Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no.dlv.isc.org/DLV/IN': 8.8.8.8#53
Aug 1 06:59:13 server named[23285]: error (broken trust chain) resolving 'www.vg.no/A/IN': 193.213.112.4#53

The latest lines from the messages file, it stopped yet again! How annoying...
 
Old 08-02-2011, 02:37 AM   #7
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Does anyone know if the broken trust chain error is a bug in Bind? Tried to google it, and it seems that might be the case.. ?
 
Old 08-02-2011, 02:49 AM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Have a read of this one, maybe you could try :-

Quote:
If you use Fedora 13 then remove the "dnssec-lookaside ..." line and add this
to your options {} section:

dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
... ?
 
Old 08-02-2011, 02:05 PM   #9
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Have a read of this one, maybe you could try :-



... ?

Here is my bind config file, as it was, I have only removed the 192.168.0.1 from the forwarders section (Gateway). And altered the domain to Mydomainname for this forum post.
As far as I can see, the dnssec is already there, and the key file is on that location specified... :/ .. ?

acl Mydomainname {
any;
};
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 {
127.0.0.1;192.168.0.0/24;
};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localnets;192.168.0.0/24; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
forwarders {
193.213.112.4;
130.67.15.198;
8.8.8.8;
};
allow-recursion {
192.168.0.0/24;localhost;127.0.0.1;
};
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "mydomainname" {
type master;
file "/var/named/mydomainname.hosts";
};
 
Old 08-02-2011, 07:29 PM   #10
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Can you provide the output of 'ls -lZ /etc/named.iscdlv.key' ?
 
Old 08-03-2011, 12:49 PM   #11
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Can you provide the output of 'ls -lZ /etc/named.iscdlv.key' ?
Here is the entire contents of the file:

/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";

# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};


The command you mentioned, outputs this :

[root@server etc]# ls -lZ /etc/named.iscdlv.key
-rw-r--r-- root named ? /etc/named.iscdlv.key

Which isn't a whole lot....
 
Old 08-03-2011, 06:13 PM   #12
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Hmmm .. can you 'grep named /var/log/audit/audit.log' ?
 
Old 08-03-2011, 11:47 PM   #13
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
Hmmm .. can you 'grep named /var/log/audit/audit.log' ?
Sure -

[root@server enzym]# grep named /var/log/audit/audit.log
type=SERVICE_START msg=audit(1312349053.379:30756): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1312349053.379:30757): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312349053.644:30758): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312397372.359:37658): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1312397372.359:37659): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1312397372.636:37660): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="named" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
 
Old 08-04-2011, 08:15 AM   #14
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
As per the bug referenced earlier, please test your upstream servers to see if they support RRSIG records

Code:
dig @193.213.112.4 dlv.isc.org SOA +dnssec
dig @130.67.15.198 dlv.isc.org SOA +dnssec
dig @8.8.8.8 dlv.isc.org SOA +dnssec
 
Old 08-04-2011, 12:12 PM   #15
enzym
LQ Newbie
 
Registered: Jul 2011
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
As per the bug referenced earlier, please test your upstream servers to see if they support RRSIG records

Code:
dig @193.213.112.4 dlv.isc.org SOA +dnssec
dig @130.67.15.198 dlv.isc.org SOA +dnssec
dig @8.8.8.8 dlv.isc.org SOA +dnssec

[root@server enzym]# dig @193.213.112.4 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @193.213.112.4 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600

;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 80382 IN A 199.254.63.254

;; Query time: 251 msec
;; SERVER: 193.213.112.4#53(193.213.112.4)
;; WHEN: Thu Aug 4 19:11:17 2011
;; MSG SIZE rcvd: 221

***

[root@server enzym]# dig @130.67.15.198 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @130.67.15.198 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53101
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600

;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info.
dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 77489 IN A 199.254.63.254

;; Query time: 57 msec
;; SERVER: 130.67.15.198#53(130.67.15.198)
;; WHEN: Thu Aug 4 19:11:56 2011
;; MSG SIZE rcvd: 221

***

[root@server enzym]# dig @8.8.8.8 dlv.isc.org SOA +dnssec

; <<>> DiG 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 <<>> @8.8.8.8 dlv.isc.org SOA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59184
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dlv.isc.org. IN SOA

;; ANSWER SECTION:
dlv.isc.org. 3600 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011080402 7200 3600 2419200 3600
dlv.isc.org. 3600 IN RRSIG SOA 5 3 3600 20110903143004 20110804143004 64263 dlv.isc.org. aHbPciR2qMZGc9T99kuN3hMHk3fr4hGcGbSkuxt/rNuz02kimv4Sybzj oxNJN86rPcvPXfGncLFUTKJGoNei5EYAG6LdamB1hGamyihH+8C5cu+D MW5x+zLbD2fwLmSd1MiQXUjVBNArsue6ELeQCSnxTnrjgs+4pQgCAR6r f8Q=

;; Query time: 81 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 4 19:12:33 2011
;; MSG SIZE rcvd: 265
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind.DNS Help needed on Split DNS server manya Linux - Server 3 10-28-2010 08:39 AM
Slave DNS server hangs during restart (Bind) marinko Linux - Networking 0 03-19-2009 06:54 PM
How to get Windows Clients to be served DNS from a Linux BIND-DNS Server texmansru47 Linux - Networking 12 07-10-2008 07:06 PM
Bind takes long time to replicate A record change to secondary DNS server tech_contact Linux - Networking 3 10-23-2007 07:14 AM
Samba server ok at boot, later fails to bind to IP. smbd restart doesn't help. tisource Linux - Networking 1 04-09-2005 08:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration