RDNC key question
Kevin Darcy
kcd at daimlerchrysler.com
Tue Nov 22 20:38:52 UTC 2005
Vigilance Monitoring wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
>news:dltr7i$9ja$1 at sf1.isc.org...
>
>
>>Vigilance Monitoring wrote:
>>
>>
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>bind-9.2.4-2 on RHEL4
>>>
>>>I recently built a slave DNS server and everything seems to be
>>>working fine. However, /etc/init.d/named stop|restart does not
>>>work (doesn't stop named). I think the problem may be with the
>>>rdnc key.
>>>
>>>
>>>[root at plain named]# rndc -V status
>>>rndc: connection to remote host closed
>>>This may indicate that the remote server is using an older version
>>>of the command protocol, this host is not authorized to connect,
>>>or the key is invalid.
>>>
>>>/var/log/messages:
>>>
>>>Nov 20 22:22:33 plain named[13030]: invalid command from
>>>127.0.0.1#34229: bad auth
>>>Nov 20 22:25:38 plain named[13609]: /etc/named.conf:63: couldn't
>>>find key 'rndc-key' for use with command channel 127.0.0.1#953
>>>Nov 20 22:25:43 plain named[13609]: invalid command from
>>>127.0.0.1#34274: bad auth
>>>Nov 20 22:25:43 plain named[13609]: invalid command from
>>>127.0.0.1#34275: bad auth
>>>Nov 20 22:25:50 plain named[13609]: invalid command from
>>>127.0.0.1#34276: bad auth
>>>Nov 20 22:26:54 plain named[13609]: invalid command from
>>>127.0.0.1#34291: bad auth
>>>
>>>/etc/named.conf:
>>>
>>>include "/etc/rndc.key";
>>>
>>>controls {
>>> inet 127.0.0.1 port 953
>>> allow { 127.0.0.1; } keys { "rndc-key"; };
>>>};
>>>
>>>What do I need to do to fix this please? TIA!!!
>>>
>>>
>>>
>>The error messages imply that there is no definition of a key named
>> "rndc-key" in the file /etc/rndc.key. Check the contents of the
>>file. Feel free to post it here with the "secret" part anonymized
>>and nothing else (otherwise you may obscure the real source of the
>>problem). Or, just generate and install a new key after you've
>>posted the old one publically.
>>
>>Another possibility is that you haven't restarted named since you
>>added the key definition, so named doesn't "see" it yet.
>>Understand that you can't use "rndc stop" until you've gotten rndc
>>working -- you'll have to "bootstrap" things with manual stops and
>>starts until rndc is working.
>>
>>
>>
>> - Kevin
>>
>>
>>
>Thanks Kevin. Yep, there is no key definition in /etc/rndc.conf. So
>how do I create a key and get everything established properly (this
>has always happened pretty much automatically/magically for me in the
>past.
>
>/etc/rndc.conf:
>
>options {
> default-server localhost;
> default-key "rndckey";
>};
>
>server localhost {
> key "rndckey";
>};
>
>include "/etc/rndc.key";
>
Your /etc/rndc.conf uses "rndckey" by default, but named.conf uses
"rndc-key". The hyphen makes all the difference. Which key(s) is/are
defined in /etc/rndc.key? Note that you can override the default rndc
key on the command line, but there needs to be a definition for it.
You might also want to check out rndc-confgen. I suspect that things
worked "automatically/magically" for you in the past because whatever
tool you used ran rndc-confgen behind the scenes.
- Kevin
More information about the bind-users
mailing list