FW: bind9 questions

Thu Mar 1 18:25:31 UTC 2001

Yeah, I got the same error message when trying to create key using 0. I
reran named-checkconf against my named.conf got a error message fixed
problem now no errors w/ named.conf. Stopped named and restarted watching
logs, shows bind9.1.1rc3 starting. 

/var/adm/messages where all logs go for the system:

Feb 28 19:56:35 pinnacle4 /usr/local/sbin/named[140]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 19:56:35 pinnacle4 /usr/local/sbin/named[140]: option 'check-names'
is not implemented
Feb 28 20:01:39 pinnacle4 /usr/local/sbin/named[263]: starting BIND 9.1.1rc3
Feb 28 20:01:39 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:01:39 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Feb 28 20:13:48 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:13:48 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Feb 28 20:22:27 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:22:27 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Feb 28 20:22:38 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:22:38 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Feb 28 20:33:52 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:33:52 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Feb 28 20:56:15 pinnacle4 /usr/local/sbin/named[263]: the default for the
'auth-nxdomain' option is 
now 'no'
Feb 28 20:56:15 pinnacle4 /usr/local/sbin/named[263]: option 'check-names'
is not implemented
Mar  1 17:05:45 pinnacle4 /usr/local/sbin/named[409]: starting BIND 9.1.1rc3
Mar  1 17:05:45 pinnacle4 /usr/local/sbin/named[409]: the default for the
'auth-nxdomain' option is 
now 'no'
Mar  1 17:05:45 pinnacle4 /usr/local/sbin/named[409]: option 'check-names'
is not implemented

Funny thing named starts and name resolution is working. Where is it getting
its info from if my resolv.conf file shows this:

m /etc/resolv.conf 
domain hurlburt.af.mil
nameserver 151.166.201.17

I deleted all old zone files on this system so where are the names coming
from?
This is the confusing part of this upgrade.

#nslookup
Default Server:  pinnacle4.hurlburt.af.mil
Address:  xxx.xxx.xxx.xxx

> mail
Server:  pinnacle4.hurlburt.af.mil
Address:  xxx.xxx.xxx.xxx

Non-authoritative answer:
Name:    shark.hurlburt.af.mil
Address:  xxx.xxx.xxx.xxx
Aliases:  mail.hurlburt.af.mil

-----Original Message-----
From: James A Griffin [mailto:agriffin at cpcug.org]
Sent: Thursday, March 01, 2001 12:08 PM
To: Timothy.Moseley at hurlburt.af.mil
Subject: Re: FW: bind9 questions

Tim,

As I said "I'm not sure it will make any difference, but ...", it is one
step in getting to a correct configuration.  I know of no way to get
dnssec-keygen to create an base-64 encoded null.  When I tried
'dnssec-keygen -a hmac-md5 -b 0 -n user rndc' it said key size 0 out of
range.

Jim ask if your control channel was up.  Is it.  Check syslog for lines
like this.
Mar  1 07:08:09 sparta named[701]: command channel listening on
192.168.1.8#953 

I've lost the thread so I may be (I am) missing some of the context. If
I have it right you want to use rndc on one machine to control named on
another.  It works, I've done here between two linux boxes after lots of
mucking with the conf files and "TFM".

This may be a dumb question on my part, but are you at this stage in
your testing using rndc on the same machine the named is running on. 
The use of localhost in the conf files suggest that this is true, but I
been burned by some assumptions that I made working with another guy on
a related problem.  

Regards,
Jim

Timothy.Moseley at hurlburt.af.mil wrote:
> 
> added the appropriate lines still get connection refuse.
> 
> Jim Reid sent this--This key is not a valid base-64 encoded string. So
until
> you fix that,
> you'll get another error once you get the name server listening on a
control
> socket.
> 
> Question--how do you create a base-64 encoded string that is a null value?
> 
> > >-----Original Message-----
> > >From: James A Griffin [mailto:agriffin at cpcug.org]
> > >Sent: Thursday, March 01, 2001 10:35 AM
> > >To: Timothy.Moseley at hurlburt.af.mil
> > >Cc: jim at rfc1035.com; bind-users at isc.org
> > >Subject: Re: FW: bind9 questions
> > >
> > >
> > >There are missing clause/phrases.
> > >See below.
> > >
> > >Regards,
> > >Jim
> > >
> > >
> > >Timothy.Moseley at hurlburt.af.mil wrote:
> > >>
> > >> Okay, now we are getting somewhere, if all I need to do is
> > >add a key
> > >> statement to my named.conf file that is empty then I will
> > >give that a try,
> > >> the manuals do not state that you can use a null value in
> > >the key statement.
> > >> I do not have to worry about anybody on my network running
> > >rndc, that is
> > >> what the OSI and FBI are for. I will try the null thing
> > >and let you know if
> > >> it works.
> > >>
> > >> NOPE.
> > >> So I guess w/out the key bind9 does not work.
> > >>
> > >> Then again this is the response I get now when I do the
> > >rndc reload command
> > >>
> > >>  rndc reload
> > >> rndc: connect: connection refused
> > >>
> > >> Here is my rndc.conf file as it appears now:
> > >>
> > >> key rndc_key {
> > >>         algorithm "hmac-md5";
> > >>         secret " ";
> > >>  };
> > >
> > >I'm not sure it will make any difference, but you need the
> > >following in
> > >rndc.conf.
> > >
> > >server localhost {
> > >        key     rndc_key;
> > >};
> > >>
> > >> options {
> > >>         default-server localhost;
> > >>         default-key rndc_key;
> > >> };
> > >>
> > >> Here is my named.conf as it appears now:
> > >>
> > >> / generated by named-bootconf.pl
> > >>
> > >> acl localhost {
> > >>                 primary_internal_dns;
> > >> };
> > >> controls {
> > >>         inet localhost allow { 127.0.0.1; } keys { rndc_key; };
> > >
> > >And I think you should include the 'algorithm "hmac-md5" and
> > >secret " "'
> > >phrases as well.
> > >
> > >> key rndc_key { };
> > >>
> > >> options {
> > >>         directory "/var/named";
> > >>         pid-file "/usr/local/etc/named.pid";
> > >>         auth-nxdomain yes;
> > >>         statistics-file "/var/named/stats";
> > >>         transfer-format many-answers;
> > >>         transfer-source  primary_internal_dns;
> > >>         forward only;
> > >>         forwarders {
> > >>           internal firewall IP's;
> > >>         };
> > >>         allow-transfer { none; };
> > >> };
> > >>
> > >> Anybody have a guess?
> > >