LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Server (http://www.linuxquestions.org/questions/forumdisplay.php?f=73)
-   -   UBUNTU bind9 problem (http://www.linuxquestions.org/questions/showthread.php?t=657286)

xokaido 07-21-2008 05:11 PM

UBUNTU bind9 problem
 
Hello, everyone!...
I have got little problem with bind9 in ubuntu...
When I try to stop bind server it generates
errors that looks like this:
Code:

* Stopping domain name service... bind
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.

It starts normally, without any error or such a thing, but
when I try to change something in the bind9 from webmin
and try to apply changes this error pops up...
Does anyone know what could be the reason?...
Thanks anyway... :)

dkm999 07-21-2008 07:51 PM

This error message is the result of a disagreement between the (client) program rndc trying to control the daemon named and the daemon itself. In the configuration file /etc/named.conf, you will find some lines like this:
Code:

key local-key {
        algorithm "hmac-md5";
        secret "some-quoted-hex-string";
}

In the corresponding file for rndc, /etc/rndc.conf, you should have a corresponding key defined, and that key name should appear in the "server" configuration block. (The key name does not have to be the same as the key-name in /etc/named.conf, but inside /etc/rndc.conf the key used in the server block and the key defined with that name must produce the same secret that is used by named.)

xokaido 07-22-2008 03:07 AM

Thanks fo the response dkm999...
Here is that code from named.conf:
Quote:

key rndc-key {
algorithm hmac-md5;
secret "DeJfnUVKxiS4r81dafLZCQ==";
};
and here is the same block from the rndc.key file:
Quote:

key "rndc-key" {
algorithm hmac-md5;
secret "86oTM+c8pl3Gai41t72CjA==";
};
They differ but think this should be so... Am I wrong?..
What should I do now?...

dkm999 07-22-2008 11:25 AM

The two secrets should be the same. This is the basis of the "shared-secret" encryption that is used by the Bind9 named to assure itself that a (remotely-received) command is legitimate.

You can choose to alter either the /etc/named.conf file or the /etc/rndc.conf file; I would probably choose the latter, so that I did not have to reload (or restart) named. Once these two configurations are brought into sync, the error messages you reported should stop appearing.

xokaido 07-22-2008 11:47 AM

I have generated secret key using rndc-confgen utitily and changed both rndc.conf and named.conf files but the error message still doesn't go anywhere... :(
Still the same, I've no idea what should I do?.....
Any Ideas?... Thanks anyway.

dkm999 07-22-2008 11:49 AM

If you changed the secret in /etc/named.conf, you must then get named to reload the configuration. You can do this by stopping and restarting named.

xokaido 07-22-2008 12:09 PM

Quote:

dkm999
Thank you very much but of course I have reloaded or restarted the named but the problem still occurs... :( Still no changes...

dkm999 07-22-2008 12:27 PM

Well, I guess we will have to go back to the initial error message and eliminate some other possibilities. It enumerated 4 choices:
1. control protocol version mismatch (I guess this is not the problem, since you have a recent version of Ubuntu, and the protocol version changed quite a while ago);
2. clocks are not synchronized (not a problem if your webmin and the named daemon are on the same machine);
3. the key is invalid (we just eliminated that);
4. this host is not authorized to connect.

This last possibility can be checked by examining /etc/named.conf again. There should be a block that looks something like this:
Code:

controls {
        inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {rndc-key;};
};

This configuration block tells named to listen only on the loopback interface port 953 (the default) for control messages, and to accept them only from a local controller (speaking on 127.0.0.1) who knows the rndc-key.

Perhaps this will finally make those messages go away.

xokaido 07-22-2008 01:29 PM

And here is that block of code in named.conf:
Quote:

key "rndc-key" {
algorithm hmac-md5;
secret "+XWb7oJl5PZMx7kGOW7Pvg==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
Almost exactly the same as yours... :(
The only difference between your code and this is the quotes around the rndc-key in control segment... Could it be the reason?...

Mr. C. 07-22-2008 01:32 PM

Is bind running in a chroot environment ?

dkm999 07-22-2008 01:48 PM

I cannot find a definitive statement in the BIND9 documentation; my config files do not contain quotes around the key identifier in either spot. See if it works without them for you, too.

xokaido 07-22-2008 02:01 PM

dkm999
No!... :(
It does not work... :(
Damn, I do not understand what should be the reason...
Also I have another problem with rebooting the system (the main problem)...
Actually system can't reboot, when I type command reboot
system starts to do it and shuts down every service including
apache, bind9, ftp, ssh too but doesn't reboot...
I couldn't understand what was going on and went to the server room...
I saw that system can't umount /var directory which contains
most server softwares... I also tried to reboot using CTRL + ALT + DELETE
but nothing... Still the same, system is paused and waits for unknown things...
The only chance to reboot the system is to press the RESET button on the machine...
I have checked every service that use /var directory and saw that everything
works just fine except this bind9 problem (which is not actually the problem,
because it start fine but has problems with stopping)...
I really appreciate you help and thank for trying to help me...
Have you got some idea what can be the problem?...
Mr. C.
Can you tell me how to check?...

Mr. C. 07-22-2008 03:06 PM

Quotes are superfluous in this case.

Examine your startup script to see how bind is being started.
Look to see if you a /var/chroot/{bind,named}.
You can also look at the proc interface; ls -l /proc/PROCID/root, replacing PROCID with the PID of your named process.

[ please edit your first post, and trim the excessive whitespace that creates the long line and screws up the width of all these posts. ]

xokaido 07-22-2008 03:19 PM

Mr. C.
Quote:

Quote are superfluous in this case.
I'm sorry, I should use BOLD instead... :)
Quote:

please edit your first post, and trim the excessive whitespace that creates the long line and screws up the width of all these posts.
I have done so but in my browser it looked very nice, there was no width screwing...

Quote:

Examine your startup script to see how bind is being started.
No, there is no problem, everything is just fine... :(

Mr. C. 07-22-2008 03:23 PM

Quote:

Originally Posted by xokaido (Post 3222986)
Mr. C.I have done so but in my browser it looked very nice, there was no width screwing...

Sorry, I assumed Firefox, where the forums have a problem with wide posts. Everything is better now, thanks.
Quote:

Originally Posted by xokaido (Post 3222986)
No, there is no problem, everything is just fine... :(

I was trying to determine if you were running bind in a chroot, as this could explain the differences in keys.

And now that your key is published here, you should change it.

It seems like you might have more troubles currently though...


All times are GMT -5. The time now is 03:52 AM.