I have upgraded a working LEAP 15.4 server to LEAP 15.5 via zypper (following usual procedure https://en.opensuse.org/SDB:System_upgrade). Server runs bind and dhcp for my network. I am now unable to start the named.service.
server:~ # systemctl restart named.service
Job for named.service failed because the control process exited with error code.
See “systemctl status named.service” and “journalctl -xeu named.service” for details.
Journal shows:
Apr 08 01:53:55 server systemd[1]: Starting Berkeley Internet Name Domain (DNS)…
Apr 08 01:53:55 server named.prep[31847]: unable to read keyfile for rndc-key in /etc/named.d/
Apr 08 01:53:55 server systemd[1]: named.service: Control process exited, code=exited, status=255/EXCEPTION
Apr 08 01:53:55 server systemd[1]: named.service: Failed with result ‘exit-code’.
Apr 08 01:53:55 server systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Permissions for file rndc.key look fine:
server:~ # ls -la /etc/rndc.key
lrwxrwxrwx 1 root root 23 Apr 8 00:41 /etc/rndc.key → /var/lib/named/rndc.key
server:~ # ls -la /var/lib/named/rndc.key
-rw-r----- 1 root named 100 Apr 8 01:12 /var/lib/named/rndc.key
File /etc/named.conf is based on new .rpmnew version:
server:~ # cat /etc/named.conf
Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
All rights reserved.
Author: Frank Bodammer, Lars Mueller lmuelle@suse.de
/etc/named.conf
This is a sample configuration file for the name server BIND 9. It works as
a caching only name server without modification.
A sample configuration for setting up your own domain can be found in
/usr/share/doc/packages/bind/sample-config.
A description of all available options can be found in
/usr/share/doc/packages/bind/misc/options.
options {
# For the time being, disable new BIND option “stale-answer-client-timeout”
# as it can result in unexpected server termination
stale-answer-enable no;# The directory statement defines the name server's working directory directory "/var/lib/named"; # enable DNSSEC validation # # If BIND logs error messages about the root key being expired, you # will need to update your keys. See https://www.isc.org/bind-keys # # The dnssec-enable option has been obsoleted and no longer has any effect. # DNSSEC responses are always enabled if signatures and other DNSSEC data are present. # dnssec-validation yes (default), indicates that a resolver # (a caching or caching-only name server) will attempt to validate # replies from DNSSEC enabled (signed) zones. To perform this task # the server also needs either a valid trusted-keys clause # (containing one or more trusted-anchors) or a managed-keys clause. # If you have problems with forwarders not returning signed responses, # set this to "no", but be aware that this may create security issues # so better switch to a forwarder which supports DNSSEC! #dnssec-validation auto; managed-keys-directory "/var/lib/named/dyn/"; # Write dump and statistics file to the log subdirectory. dump-file "/var/log/named/dump.db"; statistics-file "/var/log/named/stats"; # The forwarders record contains a list of servers to which queries # should be forwarded. Enable this line and modify the IP address to # your provider's name server. Up to three servers may be listed. #forwarders { 192.0.2.1; 192.0.2.2; }; # Enable the next entry to prefer usage of the name server declared in # the forwarders section. #forward first; # The listen-on record contains a list of local network interfaces to # listen on. Optionally the port can be specified. Default is to # listen on all interfaces found on your system. The default port is # 53. #listen-on port 53 { 127.0.0.1; }; # The listen-on-v6 record enables or disables listening on IPv6 # interfaces. Allowed values are 'any' and 'none' or a list of # addresses. listen-on-v6 { any; }; # The next three statements may be needed if a firewall stands between # the local server and the internet. #query-source address * port 53; #transfer-source * port 53; #notify-source * port 53; # The allow-query record contains a list of networks or IP addresses # to accept and deny queries from. The default is to allow queries # from all hosts. #allow-query { 127.0.0.1; }; # If notify is set to yes (default), notify messages are sent to other # name servers when the the zone data is changed. Instead of setting # a global 'notify' statement in the 'options' section, a separate # 'notify' can be added to each zone definition. notify no; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; # When ``named`` is compiled using the MaxMind GeoIP2 geolocation API, this # specifies the directory containing GeoIP database files. By default, the # option is set based on the prefix used to build the ``libmaxminddb`` module; # for example, if the library is installed in ``/usr/local/lib``, then the # default ``geoip-directory`` is ``/usr/local/share/GeoIP``. # Use the following syntax if you want to specify a different location: # geoip-directory "/path/to/geoip/database"; geoip-directory none;};
To configure named’s logging remove the leading ‘#’ characters of the
following examples.
#logging {
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file “/var/log/named/querylog”
versions 3 size 100M;
print-time yes; // timestamp log entries
};
category queries {
query_logging;
};
# Or log this kind alternatively to syslog.
channel syslog_queries {
syslog user;
severity info;
};
category queries { syslog_queries; };
# Log general name server errors to syslog.
channel syslog_errors {
syslog user;
severity error;
};
category default { syslog_errors; };
# Don’t log lame server messages.
category lame-servers { null; };
#};
The following zone definitions don’t need any modification. The first one
is the definition of the root name servers. The second one defines
localhost while the third defines the reverse lookup for localhost.
zone “.” in {
type hint;
file “root.hint”;
};zone “localhost” in {
type master;
file “localhost.zone”;
};zone “0.0.127.in-addr.arpa” in {
type master;
file “127.0.0.zone”;
};zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” in {
type master;
file “127.0.0.zone”;
};Un-comment the following line if you want to limit rndc access to and from localhost only
include “/etc/named.d/rndc-access.conf”;
Un-comment the following if you still need “/etc/named.conf.include” included.
include “/etc/named.conf.include”;
You can insert further zone records for your own domains below
See /usr/share/doc/packages/bind/README.SUSE for more details.
[… ommitted… ]
File /etc/named.d/rndc-access.conf also looks fine:
server:~ # cat /etc/named.d/rndc-access.conf
ensure to find the key named ‘rndc-key’
include “/etc/rndc.key”;
controls {
# Bind BIND’s control channel to localhost and allow access from
# loopback addresses only.
# This control channel is used for the init script /etc/init.d/named,
# rcnamed while called with the option reload or status
inet 127.0.0.1 allow {
127.0.0.0/8;
} keys { rndc-key; };# In the following example BIND's control channel in addition is bound # to IP address 192.0.2.1 and access is granted to loopback addresses # and the 192.0.2.0/24 network. #inet 192.0.2.1 allow { # 127.0.0.0/8; # 192.0.2.0/24; #} keys { rndc-key; };};
I have googled, searched, debugged.
What am I missing? Please help.
Gato
