LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-21-2008, 05:11 PM   #1
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Rep: Reputation: 15
UBUNTU bind9 problem


Hello, everyone!...
I have got little problem with bind9 in ubuntu...
When I try to stop bind server it generates
errors that looks like this:
Code:
 * Stopping domain name service... bind
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
It starts normally, without any error or such a thing, but
when I try to change something in the bind9 from webmin
and try to apply changes this error pops up...
Does anyone know what could be the reason?...
Thanks anyway...

Last edited by xokaido; 07-22-2008 at 03:11 PM.
 
Old 07-21-2008, 07:51 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
This error message is the result of a disagreement between the (client) program rndc trying to control the daemon named and the daemon itself. In the configuration file /etc/named.conf, you will find some lines like this:
Code:
key local-key {
        algorithm "hmac-md5";
        secret "some-quoted-hex-string";
}
In the corresponding file for rndc, /etc/rndc.conf, you should have a corresponding key defined, and that key name should appear in the "server" configuration block. (The key name does not have to be the same as the key-name in /etc/named.conf, but inside /etc/rndc.conf the key used in the server block and the key defined with that name must produce the same secret that is used by named.)
 
Old 07-22-2008, 03:07 AM   #3
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks fo the response dkm999...
Here is that code from named.conf:
Quote:
key rndc-key {
algorithm hmac-md5;
secret "DeJfnUVKxiS4r81dafLZCQ==";
};
and here is the same block from the rndc.key file:
Quote:
key "rndc-key" {
algorithm hmac-md5;
secret "86oTM+c8pl3Gai41t72CjA==";
};
They differ but think this should be so... Am I wrong?..
What should I do now?...
 
Old 07-22-2008, 11:25 AM   #4
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
The two secrets should be the same. This is the basis of the "shared-secret" encryption that is used by the Bind9 named to assure itself that a (remotely-received) command is legitimate.

You can choose to alter either the /etc/named.conf file or the /etc/rndc.conf file; I would probably choose the latter, so that I did not have to reload (or restart) named. Once these two configurations are brought into sync, the error messages you reported should stop appearing.
 
Old 07-22-2008, 11:47 AM   #5
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
I have generated secret key using rndc-confgen utitily and changed both rndc.conf and named.conf files but the error message still doesn't go anywhere...
Still the same, I've no idea what should I do?.....
Any Ideas?... Thanks anyway.
 
Old 07-22-2008, 11:49 AM   #6
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
If you changed the secret in /etc/named.conf, you must then get named to reload the configuration. You can do this by stopping and restarting named.
 
Old 07-22-2008, 12:09 PM   #7
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
Quote:
dkm999
Thank you very much but of course I have reloaded or restarted the named but the problem still occurs... Still no changes...
 
Old 07-22-2008, 12:27 PM   #8
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
Well, I guess we will have to go back to the initial error message and eliminate some other possibilities. It enumerated 4 choices:
1. control protocol version mismatch (I guess this is not the problem, since you have a recent version of Ubuntu, and the protocol version changed quite a while ago);
2. clocks are not synchronized (not a problem if your webmin and the named daemon are on the same machine);
3. the key is invalid (we just eliminated that);
4. this host is not authorized to connect.

This last possibility can be checked by examining /etc/named.conf again. There should be a block that looks something like this:
Code:
controls {
        inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {rndc-key;};
};
This configuration block tells named to listen only on the loopback interface port 953 (the default) for control messages, and to accept them only from a local controller (speaking on 127.0.0.1) who knows the rndc-key.

Perhaps this will finally make those messages go away.
 
Old 07-22-2008, 01:29 PM   #9
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
And here is that block of code in named.conf:
Quote:
key "rndc-key" {
algorithm hmac-md5;
secret "+XWb7oJl5PZMx7kGOW7Pvg==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
Almost exactly the same as yours...
The only difference between your code and this is the quotes around the rndc-key in control segment... Could it be the reason?...
 
Old 07-22-2008, 01:32 PM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Is bind running in a chroot environment ?
 
Old 07-22-2008, 01:48 PM   #11
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
I cannot find a definitive statement in the BIND9 documentation; my config files do not contain quotes around the key identifier in either spot. See if it works without them for you, too.
 
Old 07-22-2008, 02:01 PM   #12
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
dkm999
No!...
It does not work...
Damn, I do not understand what should be the reason...
Also I have another problem with rebooting the system (the main problem)...
Actually system can't reboot, when I type command reboot
system starts to do it and shuts down every service including
apache, bind9, ftp, ssh too but doesn't reboot...
I couldn't understand what was going on and went to the server room...
I saw that system can't umount /var directory which contains
most server softwares... I also tried to reboot using CTRL + ALT + DELETE
but nothing... Still the same, system is paused and waits for unknown things...
The only chance to reboot the system is to press the RESET button on the machine...
I have checked every service that use /var directory and saw that everything
works just fine except this bind9 problem (which is not actually the problem,
because it start fine but has problems with stopping)...
I really appreciate you help and thank for trying to help me...
Have you got some idea what can be the problem?...
Mr. C.
Can you tell me how to check?...

Last edited by xokaido; 07-22-2008 at 03:12 PM.
 
Old 07-22-2008, 03:06 PM   #13
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quotes are superfluous in this case.

Examine your startup script to see how bind is being started.
Look to see if you a /var/chroot/{bind,named}.
You can also look at the proc interface; ls -l /proc/PROCID/root, replacing PROCID with the PID of your named process.

[ please edit your first post, and trim the excessive whitespace that creates the long line and screws up the width of all these posts. ]

Last edited by Mr. C.; 07-22-2008 at 03:20 PM.
 
Old 07-22-2008, 03:19 PM   #14
xokaido
LQ Newbie
 
Registered: May 2008
Location: Tbilisi
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 15
Mr. C.
Quote:
Quote are superfluous in this case.
I'm sorry, I should use BOLD instead...
Quote:
please edit your first post, and trim the excessive whitespace that creates the long line and screws up the width of all these posts.
I have done so but in my browser it looked very nice, there was no width screwing...

Quote:
Examine your startup script to see how bind is being started.
No, there is no problem, everything is just fine...
 
Old 07-22-2008, 03:23 PM   #15
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by xokaido View Post
Mr. C.I have done so but in my browser it looked very nice, there was no width screwing...
Sorry, I assumed Firefox, where the forums have a problem with wide posts. Everything is better now, thanks.
Quote:
Originally Posted by xokaido View Post
No, there is no problem, everything is just fine...
I was trying to determine if you were running bind in a chroot, as this could explain the differences in keys.

And now that your key is published here, you should change it.

It seems like you might have more troubles currently though...

Last edited by Mr. C.; 07-22-2008 at 03:25 PM.
 
  


Reply

Tags
bind, domain, failed, name, service, starting


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS (bind9) on Ubuntu not working right Avatar Linux - Networking 9 01-07-2008 04:01 PM
Problem on starting BIND9 satimis Linux - Server 2 10-23-2007 06:27 AM
dns configuration using Bind9 and ubuntu aljohn123 Ubuntu 0 11-13-2006 10:47 PM
emergency bind9 problem Ratclaws Linux - Software 0 09-02-2005 06:13 PM
Bind9 problem WiWa Linux - Networking 3 06-06-2004 05:27 AM


All times are GMT -5. The time now is 07:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration