<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Thanks Greg!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I can confirm that running “rndc-confgen -a” replaced the previously created "/etc/bind/rndc.key" file with a new one. There are no other files named “rndc.key” on the box in question.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>None of my conf files have a “controls” block in them. Is this bad? FWIW, I don’t think I’ve ever used rndc commands before.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With regards to “sudo rndc status”, as a normal user, the “sudo” command is necessary because /etc/bind/rndc.key is not readable by normal users.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With regards to query logging, I intentionally enabled it to see what kind of DNS traffic is happening on my small office subnets. My traffic is low enough that the performance hit is negligible. But yeah, I definitely wouldn’t enable that in a larger scenario.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With regards to empty zones, I wasn’t familiar with the concept until you mentioned it. I read the KB and found it a bit confusing. From what I understood, the empty zones should be enabled by default. However, it appears that my use of “forward only” disables this behavior. Its unclear to me if this is ok or bad given my situation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Just to be clear, I’m not a BIND expert. I’m software engineer that went deep enough to set up a server a few years back and forgot all but the basics. This weekend I was just looking to make relatively minor tweaks when I copy-n-pasted a command in this server’s window like an idiot. <span style='font-family:"Segoe UI Emoji",sans-serif'>😊</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best regards,<o:p></o:p></p><p class=MsoNormal>Luis<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif'>From:</span></b><span style='font-family:"Calibri",sans-serif'> Greg Choules <gregchoules+bindusers@googlemail.com> <br><br><o:p></o:p></span></p></div><div><p class=MsoNormal>From the ARM, when "rndc-confgen -a" is run::<o:p></o:p></p><div><p class=MsoNormal>> This option sets automatic rndc configuration, which creates a file rndc.key in /etc (or a di<span style='font-family:"Arial",sans-serif'>ff</span>erent sysconfdir specified when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Use of the "rndc" command itself on a given server is secured by using a key. rndc itself gets that key from the file "rndc.key". named gets the matching key usually from its own configuration, in named.conf. Or, since this is Ubuntu, one of the files included by named.conf. That configuration is part of the "controls" block.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Check the contents of the file and check the "controls" section in your config, which should match. However, since "rndc status" is still working, it would appear you did no harm. Or the new key file was created somewhere else and it hasn't touched the old key file anyway.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I have a few other comments about what you sent.<o:p></o:p></p></div><div><p class=MsoNormal>- There is no need to run rndc as sudo.<o:p></o:p></p></div><div><p class=MsoNormal>- Your status shows that you have querylog enabled. Is that intentional? On a personal/lab server it's not a concern. But on a busy production server it will kill performance.<o:p></o:p></p></div><div><p class=MsoNormal>- You have zero automatic empty zones, suggesting that you disabled them. Again, is that intentional?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers, Greg<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, 25 Nov 2024 at 02:07, Luis Navarro <<a href="mailto:ln@lunadesign.net">ln@lunadesign.net</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks for the quick response!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I ran “sudo rndc status” on the box in question and on a test VM that’s configured almost identically to the box in question.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Both had very similar output. Here’s the output from the box in question:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>version: BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>running on localhost: Linux x86_64 5.15.0-124-generic #134-Ubuntu SMP Fri Sep 27 20:20:17 UTC 2024<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>boot time: Mon, 25 Nov 2024 01:16:08 GMT<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>last configured: Mon, 25 Nov 2024 01:16:08 GMT<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>configuration file: /etc/bind/named.conf<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>CPUs found: 4<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>worker threads: 4<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>UDP listeners per interface: 4<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>number of zones: 7 (0 automatic)<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>debug level: 0<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>xfers running: 0<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>xfers deferred: 0<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>soa queries in progress: 0<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>query logging is ON<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>recursive clients: 0/900/1000<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>tcp clients: 0/150<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>TCP high-water: 0<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>server is up and running<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Does this mean the box is ok as is?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><b><span style='font-family:"Calibri",sans-serif'>From:</span></b><span style='font-family:"Calibri",sans-serif'> Eric <<a href="mailto:eric@digitalert.net" target="_blank">eric@digitalert.net</a>> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Trying using rndc to see if it's broke. <br><br>rndc status <br><br>You may need to add a path to the rndc binary if it's not in your $PATH env vars. Or maybe -c to the location of your rndc config. <br><br>In your named.conf you should have a rndc statement with the key name and value. <br><br>You can recreate your rndc config / key with that if needed. <br><br><o:p></o:p></p><div><div><p>Nov 24, 2024 6:36:57 PM Luis Navarro <<a href="mailto:ln@lunadesign.net" target="_blank">ln@lunadesign.net</a>>:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 2.25pt;padding:0in 0in 0in 8.0pt;margin-left:0in;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I've been running BIND on Ubuntu 22.04 for over a year and it has been running perfectly as my primary DNS server. I’m currently using BIND 9.18.28.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm currently setting up BIND on another box (as a secondary DNS server) and accidentally just ran "sudo rndc-confgen -a" on the first box. From what I can tell, running this command overwrote the previously installed "/etc/bind/rndc.key" file with a new one. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm vaguely familiar with rndc but don't think I've ever used it directly. It is possible the BIND tools I typically use call it. Anyway, the first box *<b>seems</b>* to still be working normally.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>Questions:</b> Did I break anything by running "rndc-confgen"? Is there anything else I need to do on the first box to move forward with the new key file? Or should I restore the key file from a backup?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks in advance!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Luis<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></blockquote></div></div></div><p class=MsoNormal>-- <br>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.<br><br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></p></div></blockquote></div></div></body></html>