How to make DNS master server?? Problems!!!

Mr. C. · 09-21-2008, 08:25 PM

Perhpas an explaination will help prevent further thrashing, and provide some light that guides you.

named requires the key data so that it can be controlled via rndc and verify the calling rndc is trustworthy. named gets this data from named.conf.

rndc requires the key data so that it can authenticate to named. rndc gets its data from rndc.conf.

Since the key data is included in two separate files, it requires keeping both key statements consistent. Hence, the advent of the include mechanism, so that there can be one file that includes the key statement.

rndc has its own "options" statement for use in its rndc.conf file - this options statement must only appear to rndc, and hence cannot be in any include file that is included in both named.conf and rndc.conf.

So, generate one key file:

Code:

 key "rndc-key" {
       algorithm hmac-md5;
       secret "JJqB3jsb8+VJIJOfwSdySw==";
 };

and include that file in both named.conf and rndc.conf. In rndc.conf, also add your options group.

kayasaman · 09-21-2008, 08:36 PM

Ok so Mr C. if I understand you correctly:

My rndc.conf file will look like:

Code:

include "/etc/bind/rndc.key";

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};

and the key statement from named.conf will be removed leaving:

Code:

include "/etc/bind/rndc.key";

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };

where the key is:

Code:

key "rndc-key" {
        algorithm hmac-md5;
        secret "JJqB3jsb8+VJIJOfwSdySw==";
};

Is this correct so far??

kayasaman · 09-21-2008, 08:43 PM

Btw if the above is correct what are the owner and file permissions suppossed to be set to for the files?? Do they play a part in things? I'm jsut asking since ssh will complain if permissions are not right!

Also output of above config gives:

Code:

rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.

I can't think anymore of how to solve this issue, I wish it would just work!

kayasaman · 09-21-2008, 09:03 PM

Ok now I also tried to statically add the key itself without the 'include' call.

so:

Code:

key "rndc-key" {
        algorithm hmac-md5;
        secret "JJqB3jsb8+VJIJOfwSdySw==";
};

was put directly into named.conf and rndc.conf files! rndc.key was then removed and output is the same:

Code:

rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.

For rndc reload

Code:

Stopping domain name service...: bindrndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
 failed!

I am so fed up with this

I don't know if it's me, chroot, or debian or what but it's not working after going round in circles adn trying almost everything.........

kayasaman · 09-21-2008, 09:25 PM

Thank you so much btw Mr C. and BillyMayDay for the help!

It's been a long day for sure with the DNS issues adn still not sorted but just wanted to take the time to show my sincere apprieciation for everybodies help.

billymayday · 09-21-2008, 09:36 PM

This sounds like a bit of a long shot, but one reference to you problem suggested that having a hyphen in the key name was an issue, and that renaming rndc-key to rndckey in all instances would fix the problem.

Sounds iffy, but easy to try.

kayasaman · 09-21-2008, 09:41 PM

Yeah I read about that too!

However:

suprize suprize:

Code:

rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.

Shrug

billymayday · 09-21-2008, 09:45 PM

I just had a look at you key generation. Did you know that -k dnsadmin names the key effectively? The use for this key should be

key "dnsadmin" ...

Try generating a new key with "-k rndckey" (actually this is the default, so you can omit the -k part altogether) and see how you go.

kayasaman · 09-21-2008, 09:52 PM

Same as my last post I'm affraid!

had to use rndc-confgen -k rndckey

billymayday · 09-21-2008, 10:10 PM

I'd be trying to rule out key issues. Try

Code:

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; };
 };

and start bind

kayasaman · 09-21-2008, 10:18 PM

I'm affraid that didn't work either!

Bind starts fine no errors however I can't stop it or reload rndc, which is previous issue.

billymayday · 09-21-2008, 10:25 PM

Sorry - I did realise it was a rndc connect issue.

Does "rndc status" or something else really simple work?

Edit - actually, try

rndc -V status

kayasaman · 09-21-2008, 10:27 PM

No nothing works. rndc is totally down

It worked before I even generated a key and since I did everything fell apart!

kayasaman · 09-21-2008, 10:28 PM

Ah rndc -V status gives:

Code:

create memory context
create socket manager
create task manager
create task
create logging context
setting log tag
creating log channel
enabling log channel
create parser
get default key
get config key list
decode base64 secret
status
post event
using server 127.0.0.1 (127.0.0.1#953)
create socket
connect
create message
render message
schedule recv
send message
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.

billymayday · 09-21-2008, 10:29 PM

What do you mean by totally down? You aren't running it as a service are you? What does it say when you try a command like the one above?