RDNC key question

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 22 20:38:52 UTC 2005


Vigilance Monitoring wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
>news:dltr7i$9ja$1 at sf1.isc.org...
>  
>
>>Vigilance Monitoring wrote:
>>
>>    
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>bind-9.2.4-2 on RHEL4
>>>
>>>I recently built a slave DNS server and everything seems to be
>>>working fine.  However, /etc/init.d/named stop|restart does not
>>>work (doesn't stop named).  I think the problem may be with the
>>>rdnc key.
>>>
>>>
>>>[root at plain named]# rndc -V status
>>>rndc: connection to remote host closed
>>>This may indicate that the remote server is using an older version
>>>of the command protocol, this host is not authorized to connect,
>>>or the key is invalid.
>>>
>>>/var/log/messages:
>>>
>>>Nov 20 22:22:33 plain named[13030]: invalid command from
>>>127.0.0.1#34229: bad auth
>>>Nov 20 22:25:38 plain named[13609]: /etc/named.conf:63: couldn't
>>>find key 'rndc-key' for use with command channel 127.0.0.1#953
>>>Nov 20 22:25:43 plain named[13609]: invalid command from
>>>127.0.0.1#34274: bad auth
>>>Nov 20 22:25:43 plain named[13609]: invalid command from
>>>127.0.0.1#34275: bad auth
>>>Nov 20 22:25:50 plain named[13609]: invalid command from
>>>127.0.0.1#34276: bad auth
>>>Nov 20 22:26:54 plain named[13609]: invalid command from
>>>127.0.0.1#34291: bad auth
>>>
>>>/etc/named.conf:
>>>
>>>include "/etc/rndc.key";
>>>
>>>controls {
>>>       inet 127.0.0.1 port 953
>>>       allow { 127.0.0.1; } keys { "rndc-key"; };
>>>};
>>>
>>>What do I need to do to fix this please?  TIA!!!
>>>
>>>      
>>>
>>The error messages imply that there is no definition of a key named
>> "rndc-key" in the file /etc/rndc.key. Check the contents of the
>>file.  Feel free to post it here with the "secret" part anonymized
>>and nothing  else (otherwise you may obscure the real source of the
>>problem). Or,  just generate and install a new key after you've
>>posted the old one  publically.
>>
>>Another possibility is that you haven't restarted named since you
>>added  the key definition, so named doesn't "see" it yet.
>>Understand that you  can't use "rndc stop" until you've gotten rndc
>>working -- you'll have to  "bootstrap" things with manual stops and
>>starts until rndc is working.
>>
>>
>>
>>                                                            - Kevin
>>
>>    
>>
>Thanks Kevin.  Yep, there is no key definition in /etc/rndc.conf.  So
>how do I create a key and get everything established properly (this
>has always happened pretty much automatically/magically for me in the
>past.
>
>/etc/rndc.conf:
>
>options {
>        default-server  localhost;
>        default-key     "rndckey";
>};
>
>server localhost {
>        key     "rndckey";
>};
>
>include "/etc/rndc.key";
>
Your /etc/rndc.conf uses "rndckey" by default, but named.conf uses 
"rndc-key". The hyphen makes all the difference. Which key(s) is/are 
defined in /etc/rndc.key? Note that you can override the default rndc 
key on the command line, but there needs to be a definition for it.

You might also want to check out rndc-confgen. I suspect that things 
worked "automatically/magically" for you in the past because whatever 
tool you used ran rndc-confgen behind the scenes.

                                                                         
                                                   - Kevin




More information about the bind-users mailing list