[stork-users] Stork agent cannot connect through rndc

Wed Aug 28 13:07:11 UTC 2024

Mik,

you can find the BIND 9 configuration used by the Stork project in the 
docker/config/agent-bind9 (demo) and tests/system/config/bind (system 
tests) directories.

If you use BIND 9 chroot, you need to use both flags:
`named-checkconf -t /var/named -p /etc/named.conf`.
Please check if you use the `-t` flag when you start the BIND 9 process 
and use the same value.

Please call the above command as a Stork agent user. It would be best to 
switch to it using the `sudo su stork-agent-user` command.

There may be more files referenced in the named.conf file. Stork agent 
user must have an access to all of them. Please, check also if the Stork 
agent user has permissions to execute the `named-checkconf` binary.

Regards,
Slawek Figiel

On 28/08/2024 14:59, Mik J wrote:
> Hello Slawek,
> 
> When I do
> # named-checkconf -t /var/named/
> I don't have any output
> 
> But when I do
> # named-checkconf -p /var/named/etc/named.conf
> I have an output that corresponds more or less to named.conf
> 
> Could you show me an example of your named.conf configuration (regarding rndc key) and /etc/rndc.key and/or /etc/rndc.conf
> 
> Because both commands work
> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -k /etc/rndc.key status
> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -c /etc/rndc.conf status
> 
> And the files are world readable (at the moment)
> # ls -l /etc/rndc.key
> -rw-r--r--  1 root  _bind  100 Aug 28 14:22 /etc/rndc.key
> # ls -l /etc/rndc.conf
> -rw-r--r--  1 root  wheel  411 Aug 28 14:23 /etc/rndc.conf
> # ls -l /var/named/etc/named.conf
> -rwxr--r--  1 root  _bind  13534 Aug 16 11:26 /var/named/etc/named.conf
> 
> I really don't understand what could go wrong
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Le mercredi 28 août 2024 à 13:42:48 UTC+2, Slawek Figiel <slawek at isc.org> a écrit :
> 
> 
> 
> 
> 
> Hello Mik!
> 
> The "named-checkconf" call is constructed in
> backend/agent/bind9.go:569-577 :
> 
>      // Prepare named-checkconf arguments.
>      args := []string{}
>      if rootPrefix != "" {
>          args = append(args, "-t", rootPrefix)
>      }
>      // The config path must be last.
>      args = append(args, "-p", bind9ConfPath)
> 
>      out, err := executor.Output(namedCheckconfPath, args...)
> 
> So, we provide the BIND 9 configuration path via "-p" flag and path to
> the BIND 9 chroot via the "-t" flag (if applicable).
> 
> Regards,
> Slawek Figiel
> 
> 
> On 28/08/2024 00:26, Mik J wrote:
>> Hello Slawek,
>>
>> I did
>> # named-checkconf
>> open: /etc/named.conf: file not found
>>
>> So I made a symbolic link
>> # ln -s /var/named/etc/named.conf /etc/named.conf
>> And ran again the command
>> # named-checkconf
>>
>> However no improvement.
>>
>> Which option is used along with named-checkconf because when I run it I don't see anything, it's silent.
>>
>>
>> At the moment I launch the stork agent as root so there shouldn't be file permission problems.
>>
>> # ls -l /etc/rndc.key
>> -rw-r--r--  1 root  _bind  100 May 11 00:29 /etc/rndc.key
>> The permissions are not so good but I'll change them
>>
>> I don't have any file specified in my named.conf except:
>> - Log files: for example
>> channel queries_errors_file {
>>            file "/var/log/query-errors.log" versions 3 size 5m;
>>
>> - or zone files
>> zone "127.in-addr.arpa" {
>>        type master;
>>        file "/master/reverse/loopback";
>>        allow-transfer { localhost; };
>> };
>>
>> I'm not sure my configuration is involved in this issue, maybe that's because I'm using Openbsd 7.5 and it has something specific.
>>
>> Regards
>>
>>
>>
>> Le lundi 26 août 2024 à 11:51:46 UTC+2, Slawek Figiel <slawek at isc.org> a écrit :
>>
>>
>>
>>
>>
>> Hello Mik!
>>
>> Please check if your Stork agent user has rights to read the
>> "named.conf" and "rndc.key" files and any other files referenced in
>> "named.conf".
>>
>>> Also I see that the stork agent tries to connect to 127.0.0.1 using
>> rndc but I haven't specified the stork agent to use this adress
>> (although that's the one I want)
>>> But, in general, how is the stork agent supposed to find the DNS
>> server adress and port ?
>>
>> Stork uses "named-checkconf" to read the BIND 9 configuration and
>> extracts the RNDC address and port from it.
>>
>> I'm waiting for your feedback.
>> Regards
>> Slawek
>>
>> On 16/08/2024 11:24, Mik J wrote:
>>> Stork: 1.18.0
>>> OS: Openbsd 7.5
>>>
>>> Hello,
>>>
>>> I made my stork agent to be installed on one of my DNS.
>>>
>>> However I get this message
>>> INFO[2024-08-16 11:00:46]            bind9.go:560   Found BIND 9 config file in /var/named/etc/named.conf based on output of `named -V`.
>>> ERRO[2024-08-16 11:00:49]            agent.go:311   Failed to forward commands to rndc            Address="127.0.0.1" Port="953" error="exit status 1"
>>>
>>>
>>> If I run the command manually, it works
>>> # rndc -b 127.0.0.1 -s 127.0.0.1 -p 953 -k /etc/rndc.key status
>>> version: BIND 9.18.28 (Extended Support Version) <id:f77fadb> ()
>>> running on localhost: OpenBSD amd64 7.5 GENERIC.MP#82
>>> boot time: Fri, 16 Aug 2024 02:07:05 GMT
>>> last configured: Fri, 16 Aug 2024 02:07:05 GMT
>>> configuration file: /etc/named.conf (/var/named/etc/named.conf)
>>> ...
>>>
>>> How to debug this problem ?
>>>
>>> - How does stork knows what is the rndc.key, does it read it in named.conf or should it read /etc/rndc.key
>>> - If it reads /etc/rndc.key, how does it know where to find this file ?
>>>
>>>
>>> Also I see that the stork agent tries to connect to 127.0.0.1 using rndc but I haven't specified the stork agent to use this adress (although that's the one I want)
>>> But, in general, how is the stork agent supposed to find the DNS server adress and port ?
>>>
>>> Regards
>>
>>>
>>>