10/5/2020 Bind9 Generate New Rndc Key
I'm installing bind on a clean Centos 6.3 system. In previous versions that would work like a charm, but now I get Generating /etc/rndc.key when trying to start bind. Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. What and how to use RNDC? RNDC stands for Remote Name Daemon Control. It is a name server control utility in bind. This name server control utility allows command line administration of the named service both locally and remotely. It is a command line utility and it controls the operation of a name server.
Having a decent DNS system is mandatory if you have more than a few devices on your network. If WINS fails (or becomes obsolete), or Bonjour doesn’t fit your needs, try this out on your Linux server!
First off, this blog post contains instructions which may interrupt your users, so plan on either doing this in down time, or have an ample backup system in place.
In our environment, we are assuming you have control of your network (i.e. DHCP, DNS, switches, etc), and know how your network is currently laid out. We will pretend we are on a single
192.168.0.0/24 subnet, with a default gateway of 192.168.0.254 .
Assuming you are on a Debian-based or Ubuntu-based distribution, you can install all the software you need with:
Don’t worry about messing with your network yet; the servers do not activate automatically!
Next, map out how you want your network laid out. An example is below, and will show what is needed vs optional:
Total Network Range: 192.168.0.0/24 (.1 to .254)
Total static-IPs: Default Gateway (.254), Wireless Access Point (.253), Managed Switch (.252), Linux File Server (.251), Linux VM A (.250), Linux VM B (.249), Network Printer A (.248), Network Printer B (.247), Linux DHCP/DNS (.1) (this server) DHCP Range: 192.168.0.2 to 192.168.0.200 (Note: always leave a few extra static IPs) Default Gateway IP: 192.168.0.254 ISP / External DNS Servers: 1.2.3.4, 1.2.3.5 Internal DNS name: COOL.LAN.
For updates to happen securely, we need to generate a random key for both BIND and ISC-DHCP-Server to use.
Copy the top section into a new file called
/etc/bind/rndc.conf . You’ll need to include this file in your DHCP and DNS config.
Now change the file permissions so only root and bind can read it, and create a link for DHCP:
Now we will start with DHCP. We know what our range is, so we’ll copy that range while the current DHCP server is running (i.e. from your SOHO router). We’ll take a backup of the current config file that installs from
apt , then work on a blank file.
With your blank file, let’s get to work. Remember that after every “line”, you need a semicolon (
; ). We’ll check the configurations before ever starting it. Paste the following pre into this blank file, then save it:
(A quick reference as to why the reverse zone is
in-addr.arpa , as opposed to 168.192.in-addr.arpa )
Add in any extra static-IP’d devices, following the format above, that you have in your network. When adding MAC addresses, I’ve always used lowercase characters, and it works for me.
Once you are satisfied, close and save the file (Ctrl+X, Y, Enter).
Check your configuration
A bad DHCPd configuration will prevent the service from starting. You can check it anytime by running
dhcpd -t . As long as you don’t see any warnings, then the syntax check has passed, and the service can start when you tell it. We’ll keep it turned off for now.
The BIND configuration files are split up into many different, smaller files. We’ll keep it like this so that package upgrades do not wipe out our configurations. We’ll look at each file, one at a time:
/etc/bind/named.conf
The above file creates an ACL, which allows us to specify what different networks or computers can do with our DNS server. Then, we include the extra files that we make our regular changes to.
/etc/bind/named.conf.options
Pay attention to the
forwarders {} section – that needs to be changed to your external DNS servers, either from your ISP or a third party service. Save this file.
/etc/bind/named.conf.local
Save and close this file.
Check your BIND config
To check your configuration, run the following command:
If it states the configuration is OK, we can move on. If not, you’ll need to check for typos, then ask Google. After each change to the configuration files, re-run the check to make sure BIND will start when you want it.
If you get warnings about missing zone files, you can safely ignore them for now – we’ll create them next.
/etc/bind/zones/cool.lan
We can add other types of records, such as CNAME, TXT, or even AAAA records (IPv6 only). This will also let us reorganize our network on a whim! Save and close this file.
/etc/bind/zones/168.192.in-addr.arpa
In this file, we are adding the reverse-lookup zone – if I were to query
192.168.0.254 , I expect the answer to be gateway.cool.lan. when this is done.
PTR records are Pointer records for your DNS server. Ideally, they should match your forward-lookup zone records, albeit backwards.
You can also use the file if you have a network larger than a /24 – for example, a /23 would have addresses from 192.168.0.1 through to 192.168.1.254, inclusive, for 510 possible addresses/names. Let’s save this file, then do some checks.
Check your zone configuration
To check your zones, we need to run a command against each zone, and the zone file:
Each time you make edits, you’ll want to increase the serial number by at least 1. The “standard” method, once it’s running, is to include the date with your serial number – for example,
YYYYMMDDxx .
If you want to make changes after starting the DNS server, you’ll need to freeze your zone temporarily:
Make your changes, increment your Serial number by 1, then reload and thaw the zones to allow dynamic updates again:
So we’re going to attempt to start the services. I am assuming you ran your configuration checks (see above), and errors have been dealt with.
To start your DHCP server, you need to edit
/etc/default/isc-dhcp-server . Search for the line INTERFACES= and add your network interface to the list.
Once that’s saved, let’s start BIND and verify it works correctly:
If you get answers back, then BIND is able to recursively lookup your queries. If not, then troubleshoot why before continuing!
Next, try from another computer, with the same command (either on Windows, Linux or Mac). Make sure that test succeeds before forcing all your clients to use this server.
Once you are satisfied, you’ll need to turn off your existing DHCP server – likely on your router. If not, you’ll get conflicts that make dealing with issues very difficult. Instructions for each router or DHCP server are different. The point is, get the DHCP service turned off on your network before turning on your new DHCP server.
To start the DHCP server, execute:
Your client computers should start getting new IP addresses and the new DNS server assigned to them as their existing leases expire… Or as you manually attempt to renew their leases. Verify that your computers can access websites outside your network, and that you can access your internal devices by their DNS name.
The hard part is figuring out where errors are when the Internet doesn’t appear to work. That is why I made this post so long – so you can refer to it when things don’t work.
First off, breath. Nothing gets solved by panicking.
Check your logs – typically located at
/var/log/syslog . You can sort it by only DHCPd and BIND messages by running:
As systems get their new DHCP leases, you should see DHCPACK and DHCPINFORM messages appearing for that system; then you should see the clients updating zone records in both the
168.192.in-addr.arpa. zone as well as cool.lan. zone. If the computers are not working, read the lines that show either warnings or failures, and check why.
Package: bind9;Maintainer for bind9 is Debian DNS Team <[email protected]>; Source for bind9 is src:bind9 (PTS, buildd, popcon).
Reported by: Colm Buckley <[email protected]>
Date: Tue, 20 Feb 2001 11:03:17 UTC
Severity: wishlist
Merged with 87208
Found in versions 1:9.1.0-1, 1:9.1.0-2
Fixed in version bind9/1:9.2.0-2
Done: Bdale Garbee <[email protected]>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to
[email protected], Bdale Garbee <[email protected]> :Bug#86718 ; Package bind9 .(full text, mbox, link).
Bind9 Generate New Rndc Keys
Acknowledgement sent to
Colm Buckley <[email protected]> :New Bug report received and forwarded. Copy sent to Bdale Garbee <[email protected]> .(full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
To: Debian Bug Tracking System <[email protected]>
Subject: Should generate rndc key at installation instead of distributing a standard one.
Information forwarded to
[email protected], Bdale Garbee <[email protected]> :Bug#86718 ; Package bind9 .(full text, mbox, link).
Acknowledgement sent to
Marc Martinez <[email protected]> :Extra info received and forwarded to list. Copy sent to Bdale Garbee <[email protected]> .(full text, mbox, link).
Message #10 received at [email protected] (full text, mbox, reply):
Subject: use of include statement may help reduce local user attack risk
Acknowledgement sent to
Bdale Garbee <[email protected]> :Extra info received and forwarded to list.(full text, mbox, link).
Message #15 received at [email protected] (full text, mbox, reply):
Subject: Re: Bug#86718: use of include statement may help reduce local user attack risk
Information forwarded to
[email protected], Bdale Garbee <[email protected]> :Bug#86718 ; Package bind9 .(full text, mbox, link).
Acknowledgement sent to
[email protected] (Bdale Garbee) :Extra info received and forwarded to list. Copy sent to Bdale Garbee <[email protected]> .(full text, mbox, link).
Message #20 received at [email protected] (full text, mbox, reply):
Date: Sat, 28 Apr 2001 20:06:29 -0600 (MDT)
Severity set to `wishlist'.Request was from
[email protected] (Bdale Garbee) to [email protected] . (full text, mbox, link).
Merged 8671887208.Request was from
[email protected] (Bdale Garbee) to [email protected] . (full text, mbox, link).
Reply sent to
Bdale Garbee <[email protected]> :You have taken responsibility.(full text, mbox, link).
Notification sent to
Colm Buckley <[email protected]> :Bug acknowledged by developer.(full text, mbox, link). Bind9 Rndc Key
Message #29 received at [email protected] (full text, mbox, reply):
Bind Rndc.key
Date: Fri, 21 Dec 2001 20:52:27 +0100
Send a report that this bug log contains spam.
Bind9 Generate New Rndc Key GenDebian bug tracking system administrator <[email protected]>.Last modified:Fri Apr 17 10:20:16 2020; Machine Name:buxtehude
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,1997,2003 nCipher Corporation Ltd,1994-97 Ian Jackson,2005-2017 Don Armstrong, and many other contributors.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |