>From the ARM, when "rndc-confgen -a" is run:: > This option sets automatic rndc configuration, which creates a file rndc.key in /etc (or a different sysconfdir specified when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration.
Use of the "rndc" command itself on a given server is secured by using a key. rndc itself gets that key from the file "rndc.key". named gets the matching key usually from its own configuration, in named.conf. Or, since this is Ubuntu, one of the files included by named.conf. That configuration is part of the "controls" block. Check the contents of the file and check the "controls" section in your config, which should match. However, since "rndc status" is still working, it would appear you did no harm. Or the new key file was created somewhere else and it hasn't touched the old key file anyway. I have a few other comments about what you sent. - There is no need to run rndc as sudo. - Your status shows that you have querylog enabled. Is that intentional? On a personal/lab server it's not a concern. But on a busy production server it will kill performance. - You have zero automatic empty zones, suggesting that you disabled them. Again, is that intentional? Cheers, Greg On Mon, 25 Nov 2024 at 02:07, Luis Navarro <l...@lunadesign.net> wrote: > Thanks for the quick response! > > > > I ran “sudo rndc status” on the box in question and on a test VM that’s > configured almost identically to the box in question. > > > > Both had very similar output. Here’s the output from the box in question: > > > > version: BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) > <id:> > > running on localhost: Linux x86_64 5.15.0-124-generic #134-Ubuntu SMP Fri > Sep 27 20:20:17 UTC 2024 > > boot time: Mon, 25 Nov 2024 01:16:08 GMT > > last configured: Mon, 25 Nov 2024 01:16:08 GMT > > configuration file: /etc/bind/named.conf > > CPUs found: 4 > > worker threads: 4 > > UDP listeners per interface: 4 > > number of zones: 7 (0 automatic) > > debug level: 0 > > xfers running: 0 > > xfers deferred: 0 > > soa queries in progress: 0 > > query logging is ON > > recursive clients: 0/900/1000 > > tcp clients: 0/150 > > TCP high-water: 0 > > server is up and running > > > > Does this mean the box is ok as is? > > > > *From:* Eric <e...@digitalert.net> > > Trying using rndc to see if it's broke. > > rndc status > > You may need to add a path to the rndc binary if it's not in your $PATH > env vars. Or maybe -c to the location of your rndc config. > > In your named.conf you should have a rndc statement with the key name and > value. > > You can recreate your rndc config / key with that if needed. > > > Nov 24, 2024 6:36:57 PM Luis Navarro <l...@lunadesign.net>: > > I've been running BIND on Ubuntu 22.04 for over a year and it has been > running perfectly as my primary DNS server. I’m currently using BIND > 9.18.28. > > > > I'm currently setting up BIND on another box (as a secondary DNS server) > and accidentally just ran "sudo rndc-confgen -a" on the first box. From > what I can tell, running this command overwrote the previously installed > "/etc/bind/rndc.key" file with a new one. > > > > I'm vaguely familiar with rndc but don't think I've ever used it > directly. It is possible the BIND tools I typically use call it. Anyway, > the first box **seems** to still be working normally. > > > > *Questions:* Did I break anything by running "rndc-confgen"? Is there > anything else I need to do on the first box to move forward with the new > key file? Or should I restore the key file from a backup? > > > > Thanks in advance! > > Luis > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
