Thanks Greg!
I can confirm that running “rndc-confgen -a” replaced the previously created "/etc/bind/rndc.key" file with a new one. There are no other files named “rndc.key” on the box in question. None of my conf files have a “controls” block in them. Is this bad? FWIW, I don’t think I’ve ever used rndc commands before. With regards to “sudo rndc status”, as a normal user, the “sudo” command is necessary because /etc/bind/rndc.key is not readable by normal users. With regards to query logging, I intentionally enabled it to see what kind of DNS traffic is happening on my small office subnets. My traffic is low enough that the performance hit is negligible. But yeah, I definitely wouldn’t enable that in a larger scenario. With regards to empty zones, I wasn’t familiar with the concept until you mentioned it. I read the KB and found it a bit confusing. >From what I understood, the empty zones should be enabled by default. However, it appears that my use of “forward only” disables this behavior. Its unclear to me if this is ok or bad given my situation. Just to be clear, I’m not a BIND expert. I’m software engineer that went deep enough to set up a server a few years back and forgot all but the basics. This weekend I was just looking to make relatively minor tweaks when I copy-n-pasted a command in this server’s window like an idiot. 😊 Best regards, Luis From: Greg Choules <gregchoules+bindus...@googlemail.com> >From the ARM, when "rndc-confgen -a" is run:: > This option sets automatic rndc configuration, which creates a file rndc.key > in /etc (or a different sysconfdir specified when BIND was built) that is read > by both rndc and named on startup. The rndc.key file defines a default > command channel and authentication key allowing rndc to communicate with > named on the local host with no further configuration. Use of the "rndc" command itself on a given server is secured by using a key. rndc itself gets that key from the file "rndc.key". named gets the matching key usually from its own configuration, in named.conf. Or, since this is Ubuntu, one of the files included by named.conf. That configuration is part of the "controls" block. Check the contents of the file and check the "controls" section in your config, which should match. However, since "rndc status" is still working, it would appear you did no harm. Or the new key file was created somewhere else and it hasn't touched the old key file anyway. I have a few other comments about what you sent. - There is no need to run rndc as sudo. - Your status shows that you have querylog enabled. Is that intentional? On a personal/lab server it's not a concern. But on a busy production server it will kill performance. - You have zero automatic empty zones, suggesting that you disabled them. Again, is that intentional? Cheers, Greg On Mon, 25 Nov 2024 at 02:07, Luis Navarro <l...@lunadesign.net <mailto:l...@lunadesign.net> > wrote: Thanks for the quick response! I ran “sudo rndc status” on the box in question and on a test VM that’s configured almost identically to the box in question. Both had very similar output. Here’s the output from the box in question: version: BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:> running on localhost: Linux x86_64 5.15.0-124-generic #134-Ubuntu SMP Fri Sep 27 20:20:17 UTC 2024 boot time: Mon, 25 Nov 2024 01:16:08 GMT last configured: Mon, 25 Nov 2024 01:16:08 GMT configuration file: /etc/bind/named.conf CPUs found: 4 worker threads: 4 UDP listeners per interface: 4 number of zones: 7 (0 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/900/1000 tcp clients: 0/150 TCP high-water: 0 server is up and running Does this mean the box is ok as is? From: Eric <e...@digitalert.net <mailto:e...@digitalert.net> > Trying using rndc to see if it's broke. rndc status You may need to add a path to the rndc binary if it's not in your $PATH env vars. Or maybe -c to the location of your rndc config. In your named.conf you should have a rndc statement with the key name and value. You can recreate your rndc config / key with that if needed. Nov 24, 2024 6:36:57 PM Luis Navarro <l...@lunadesign.net <mailto:l...@lunadesign.net> >: I've been running BIND on Ubuntu 22.04 for over a year and it has been running perfectly as my primary DNS server. I’m currently using BIND 9.18.28. I'm currently setting up BIND on another box (as a secondary DNS server) and accidentally just ran "sudo rndc-confgen -a" on the first box. From what I can tell, running this command overwrote the previously installed "/etc/bind/rndc.key" file with a new one. I'm vaguely familiar with rndc but don't think I've ever used it directly. It is possible the BIND tools I typically use call it. Anyway, the first box *seems* to still be working normally. Questions: Did I break anything by running "rndc-confgen"? Is there anything else I need to do on the first box to move forward with the new key file? Or should I restore the key file from a backup? Thanks in advance! Luis -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
