Bind9 rndc-key issue

unknown · June 16, 2020, 11:40pm

Hello,
I am currently working through the opensuse reference manual, and am attempting to run a BIND DNS.
Attempting to use both yast, and the CL leads me to the same issue:

named-checkconf /etc/named.conf


/etc/rndc.key:1: key 'rndc-key': already exists previous definition: /etc/rndc.key:1
/etc/rndc.key:1: key 'rndc-key': already exists previous definition: /etc/rndc.key:1

systemctl status named.service


● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Tue 2020-06-16 16:44:03 EDT; 42min ago
    Process: 21145 ExecStart=/usr/sbin/named.init start (code=exited, status=6)

Jun 16 16:44:03 linux-7paf systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Jun 16 16:44:03 linux-7paf named.init[21145]: Starting name server BIND
Jun 16 16:44:03 linux-7paf named.init[21208]: Starting name server BIND
Jun 16 16:44:03 linux-7paf named.init[21208]: etc/named.conf:17
Jun 16 16:44:03 linux-7paf systemd[1]: named.service: Control process exited, code=exited, status=6/NOTCONFIGURED
Jun 16 16:44:03 linux-7paf systemd[1]: named.service: Failed with result 'exit-code'.
Jun 16 16:44:03 linux-7paf systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

If I delete the /etc/rndc-key:


● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Tue 2020-06-16 17:42:35 EDT; 7s ago
    Process: 28201 ExecStart=/usr/sbin/named.init start (code=exited, status=6)

Jun 16 17:42:35 linux-7paf named.init[28201]: Warning: File /etc/rndc.key not found. Creating it.
Jun 16 17:42:35 linux-7paf named.init[28242]: rndc-confgen: The -r option has been deprecated.
Jun 16 17:42:35 linux-7paf named.init[28243]: chmod: cannot access '/etc/rndc.key': No such file or directory
Jun 16 17:42:35 linux-7paf named.init[28244]: chown: cannot access '/etc/rndc.key': No such file or directory
Jun 16 17:42:35 linux-7paf named.init[28201]: Warning: File /etc/rndc.key not found. Skipping.
Jun 16 17:42:35 linux-7paf named.init[28201]: Warning: File /etc/rndc.key not found. Skipping.
Jun 16 17:42:35 linux-7paf named.init[28266]: /etc/rndc.key:1: key 'rndc-key': already exists previous definition: /etc/rndc.key:1
Jun 16 17:42:35 linux-7paf systemd[1]: named.service: Control process exited, code=exited, status=6/NOTCONFIGURED
Jun 16 17:42:35 linux-7paf systemd[1]: named.service: Failed with result 'exit-code'.
Jun 16 17:42:35 linux-7paf systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

named.conf file (I have left out comments, and line 17 being “options {”



options {

        # The directory statement defines the name server's working directory
        directory "/var/lib/named";

        dnssec-validation auto;
        managed-keys-directory "/var/lib/named/dyn/";

        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 { any; };

        allow-query { 127.0.0.1; };

        notify no;

        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        include "/etc/named.d/forwarders.conf";
};

zone "." in {
        type hint;
        file "root.hint";
};

zone "localhost" in {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "127.0.0.zone";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
        type master;
        file "127.0.0.zone";
};

include "/etc/named.conf.include";
zone "dnsmz.com" in {
        file "master/dnsmz.com";
        type master;
        allow-transfer { any; };
};
logging {
        category xfer-in { log_syslog; };
        category xfer-out { log_syslog; };
        category default { log_syslog; };
        channel log_syslog { syslog; };
};

# You can insert further zone records for your own domains below or create
# single files in /etc/named.d/ and add the file names to
# NAMED_CONF_INCLUDE_FILES.
# See /usr/share/doc/packages/bind/README.SUSE for more details.

include "/etc/rndc.key";
controls { inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };};

zone "1.0.168.192.in-addr.arpa" in {
        allow-transfer { any; };
        file "master/1.0.168.192.in-addr.arpa";
        type master;
}

cat /etc/os-release


NAME="openSUSE Tumbleweed"
# VERSION="20200614"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20200614"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20200614"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
LOGO="distributor-logo"

If any more information is need please let me know, any help is appreciated.

tsu2 · June 17, 2020, 1:03am

As you seem to have determined, something has changed in how the BIND server configuration is generated and read so you should file a big report on your findings to https://bugzilla.opensuse.org.

But before you do so,
there is one more thing you can do to possibly fix your immediate situation and add to your report…
You can try to find where the duplicate key may exist.

I recommend using the “locate” utility which works faster and a bit differently than the “find” utility… and can be installed as part of the mlocate package.
To install,

zyppter in mlocate

After installed, the database of your entire system will update automatically every 24 hrs, but you won’t want to wait that long for first use or after any changes to your system.
Updating the database is simple, just run the following and wait a few seconds

updatedb

Once your database is as up to date as you need, you can run “locate text_string” where e the text string can be as short ( file name fragment) or as long((typically part of the path)
Some examples

locate rndc.key
locate rndc.key:1
locate bin/ssh

Awhile back, I observed that some files like kernel objects (.ko) were not found by locate, but may have been a bug. Shortly after I posted that, those files were part of locate results.

Of course, the above can identify all instances of rndc.key on your system which can go a long ways towards identifying possible conflicting duplicates.
Whatever your findings, be sure to report to bugzilla so the problem can be fixed.

TSU

unknown · June 17, 2020, 2:16am

Hello Tsu,

As you advised I installed mlocate, running the updatedb command after

locate rndc.key:


/etc/rndc.key
/var/lib/named/etc/rndc.key

This method has found the duplicate key. After using rm to remove both files (ls in the directories to check, as well as updatedb again and another locate rndc.key command showed no results),
running systemctl start named.service yields:


● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Tue 2020-06-16 19:50:14 EDT; 5s ago
    Process: 3967 ExecStart=/usr/sbin/named.init start (code=exited, status=6)

Jun 16 19:50:14 linux-7paf named.init[3967]: Warning: File /etc/rndc.key not found. Creating it.
Jun 16 19:50:14 linux-7paf named.init[4007]: rndc-confgen: The -r option has been deprecated.
Jun 16 19:50:14 linux-7paf named.init[4008]: chmod: cannot access '/etc/rndc.key': No such file or directory
Jun 16 19:50:14 linux-7paf named.init[4009]: chown: cannot access '/etc/rndc.key': No such file or directory
Jun 16 19:50:14 linux-7paf named.init[3967]: Warning: File /etc/rndc.key not found. Skipping.
Jun 16 19:50:14 linux-7paf named.init[3967]: Warning: File /etc/rndc.key not found. Skipping.
Jun 16 19:50:14 linux-7paf named.init[4030]: /etc/named.d/rndc-access.conf:2: open: /etc/rndc.key: file not found
Jun 16 19:50:14 linux-7paf systemd[1]: named.service: Control process exited, code=exited, status=6/NOTCONFIGURED
Jun 16 19:50:14 linux-7paf systemd[1]: named.service: Failed with result 'exit-code'.
Jun 16 19:50:14 linux-7paf systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

Removing just the /etc/rndc.key, and not the one in /var/lib/named/etc/rndc.key then running
systemctl start named.service:


● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Tue 2020-06-16 20:04:07 EDT; 2s ago
    Process: 5027 ExecStart=/usr/sbin/named.init start (code=exited, status=1/FAILURE)

Jun 16 20:04:06 linux-7paf named[5093]: found 12 CPUs, using 12 worker threads
Jun 16 20:04:06 linux-7paf named[5093]: using 12 UDP listeners per interface
Jun 16 20:04:07 linux-7paf named[5093]: using up to 21000 sockets
Jun 16 20:04:07 linux-7paf named[5093]: loading configuration from '/etc/named.conf'
Jun 16 20:04:07 linux-7paf named[5093]: /etc/named.d/rndc-access.conf:2: open: /etc/rndc.key: permission denied
Jun 16 20:04:07 linux-7paf named[5093]: loading configuration: permission denied
Jun 16 20:04:07 linux-7paf named[5093]: exiting (due to fatal error)
Jun 16 20:04:07 linux-7paf systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Jun 16 20:04:07 linux-7paf systemd[1]: named.service: Failed with result 'exit-code'.
Jun 16 20:04:07 linux-7paf systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

So now I get a different error, but much more common issue which I resolved by running:
**chown named:named /var/lib/named/etc/rndc.key
chmod 644 /var/lib/named/etc/rndc.key

**After this systemctl start named.service executes silently, and named is running

Thank you for the quick, and very useful help Tsu.