RDNC key question

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 22 01:02:58 UTC 2005


Vigilance Monitoring wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>bind-9.2.4-2 on RHEL4
>
>I recently built a slave DNS server and everything seems to be
>working fine.  However, /etc/init.d/named stop|restart does not work
>(doesn't stop named).  I think the problem may be with the rdnc key.
>
>
>[root at plain named]# rndc -V status
>rndc: connection to remote host closed
>This may indicate that the remote server is using an older version of
>the command protocol, this host is not authorized to connect,
>or the key is invalid.
>
>/var/log/messages:
>
>Nov 20 22:22:33 plain named[13030]: invalid command from
>127.0.0.1#34229: bad auth
>Nov 20 22:25:38 plain named[13609]: /etc/named.conf:63: couldn't find
>key 'rndc-key' for use with command channel 127.0.0.1#953
>Nov 20 22:25:43 plain named[13609]: invalid command from
>127.0.0.1#34274: bad auth
>Nov 20 22:25:43 plain named[13609]: invalid command from
>127.0.0.1#34275: bad auth
>Nov 20 22:25:50 plain named[13609]: invalid command from
>127.0.0.1#34276: bad auth
>Nov 20 22:26:54 plain named[13609]: invalid command from
>127.0.0.1#34291: bad auth
>
>/etc/named.conf:
>
>include "/etc/rndc.key";
>
>controls {
>        inet 127.0.0.1 port 953
>        allow { 127.0.0.1; } keys { "rndc-key"; };
>};
>
>What do I need to do to fix this please?  TIA!!!
>
The error messages imply that there is no definition of a key named 
"rndc-key" in the file /etc/rndc.key. Check the contents of the file. 
Feel free to post it here with the "secret" part anonymized and nothing 
else (otherwise you may obscure the real source of the problem). Or, 
just generate and install a new key after you've posted the old one 
publically.

Another possibility is that you haven't restarted named since you added 
the key definition, so named doesn't "see" it yet. Understand that you 
can't use "rndc stop" until you've gotten rndc working -- you'll have to 
"bootstrap" things with manual stops and starts until rndc is working.

                                                                         
                                                            - Kevin




More information about the bind-users mailing list