Hi Luis. Running "named-checkconf -p" will print your entire named configuration, following any include files. There *must* be a "controls" section in there or rndc could not work, since, from the ARM: > all communication with the server is authenticated with digital signatures... I encourage you to read the sections on rndc, rndc.conf, rndc.key and controls for more details. It can take a few goes to get your head around it.
Regarding "sudo rndc", I don't think it should be necessary. I get your point about permissions, but try it without anyway? Regarding empty zones: these are domains that should never be sent to the Internet because they cannot be resolved. They are roughly the DNS equivalent of RFC1918 (and other) addresses. They would normally be created automatically, unless, as you spotted: > The server attempts to determine if a built-in zone already exists or is active (covered by a forward-only forwarding declaration) and does not create an empty zone if either is true. If you are global forwarding, where are you forwarding to? Regarding querylog: if you find it useful and it's not hurting, leave it on. If you don't use it, turn it off. Cheers, Greg On Tue, 26 Nov 2024 at 04:39, Luis Navarro <l...@lunadesign.net> wrote: > Thanks Greg! > > > > I can confirm that running “rndc-confgen -a” replaced the previously > created "/etc/bind/rndc.key" file with a new one. There are no other files > named “rndc.key” on the box in question. > > > > None of my conf files have a “controls” block in them. Is this bad? > FWIW, I don’t think I’ve ever used rndc commands before. > > > > With regards to “sudo rndc status”, as a normal user, the “sudo” command > is necessary because /etc/bind/rndc.key is not readable by normal users. > > > > With regards to query logging, I intentionally enabled it to see what kind > of DNS traffic is happening on my small office subnets. My traffic is low > enough that the performance hit is negligible. But yeah, I definitely > wouldn’t enable that in a larger scenario. > > > > With regards to empty zones, I wasn’t familiar with the concept until you > mentioned it. I read the KB and found it a bit confusing. From what I > understood, the empty zones should be enabled by default. However, it > appears that my use of “forward only” disables this behavior. Its unclear > to me if this is ok or bad given my situation. > > > > Just to be clear, I’m not a BIND expert. I’m software engineer that went > deep enough to set up a server a few years back and forgot all but the > basics. This weekend I was just looking to make relatively minor tweaks > when I copy-n-pasted a command in this server’s window like an idiot. 😊 > > > > Best regards, > > Luis > > > > *From:* Greg Choules <gregchoules+bindus...@googlemail.com> > > From the ARM, when "rndc-confgen -a" is run:: > > > This option sets automatic rndc configuration, which creates a file > rndc.key in /etc (or a different sysconfdir specified when BIND was built) > that is read by both rndc and named on startup. The rndc.key file defines a > default command channel and authentication key allowing rndc to communicate > with named on the local host with no further configuration. > > > > Use of the "rndc" command itself on a given server is secured by using a > key. rndc itself gets that key from the file "rndc.key". named gets the > matching key usually from its own configuration, in named.conf. Or, since > this is Ubuntu, one of the files included by named.conf. That configuration > is part of the "controls" block. > > > > Check the contents of the file and check the "controls" section in your > config, which should match. However, since "rndc status" is still working, > it would appear you did no harm. Or the new key file was created somewhere > else and it hasn't touched the old key file anyway. > > > > I have a few other comments about what you sent. > > - There is no need to run rndc as sudo. > > - Your status shows that you have querylog enabled. Is that intentional? > On a personal/lab server it's not a concern. But on a busy production > server it will kill performance. > > - You have zero automatic empty zones, suggesting that you disabled them. > Again, is that intentional? > > > > Cheers, Greg > > > > On Mon, 25 Nov 2024 at 02:07, Luis Navarro <l...@lunadesign.net> wrote: > > Thanks for the quick response! > > > > I ran “sudo rndc status” on the box in question and on a test VM that’s > configured almost identically to the box in question. > > > > Both had very similar output. Here’s the output from the box in question: > > > > version: BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) > <id:> > > running on localhost: Linux x86_64 5.15.0-124-generic #134-Ubuntu SMP Fri > Sep 27 20:20:17 UTC 2024 > > boot time: Mon, 25 Nov 2024 01:16:08 GMT > > last configured: Mon, 25 Nov 2024 01:16:08 GMT > > configuration file: /etc/bind/named.conf > > CPUs found: 4 > > worker threads: 4 > > UDP listeners per interface: 4 > > number of zones: 7 (0 automatic) > > debug level: 0 > > xfers running: 0 > > xfers deferred: 0 > > soa queries in progress: 0 > > query logging is ON > > recursive clients: 0/900/1000 > > tcp clients: 0/150 > > TCP high-water: 0 > > server is up and running > > > > Does this mean the box is ok as is? > > > > *From:* Eric <e...@digitalert.net> > > Trying using rndc to see if it's broke. > > rndc status > > You may need to add a path to the rndc binary if it's not in your $PATH > env vars. Or maybe -c to the location of your rndc config. > > In your named.conf you should have a rndc statement with the key name and > value. > > You can recreate your rndc config / key with that if needed. > > Nov 24, 2024 6:36:57 PM Luis Navarro <l...@lunadesign.net>: > > I've been running BIND on Ubuntu 22.04 for over a year and it has been > running perfectly as my primary DNS server. I’m currently using BIND > 9.18.28. > > > > I'm currently setting up BIND on another box (as a secondary DNS server) > and accidentally just ran "sudo rndc-confgen -a" on the first box. From > what I can tell, running this command overwrote the previously installed > "/etc/bind/rndc.key" file with a new one. > > > > I'm vaguely familiar with rndc but don't think I've ever used it > directly. It is possible the BIND tools I typically use call it. Anyway, > the first box **seems** to still be working normally. > > > > *Questions:* Did I break anything by running "rndc-confgen"? Is there > anything else I need to do on the first box to move forward with the new > key file? Or should I restore the key file from a backup? > > > > Thanks in advance! > > Luis > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
