DNS and file system messed up...
Gary Kline
kline at thought.org
Sat Jul 9 20:05:52 UTC 2011
On Sat, Jul 09, 2011 at 09:14:21AM +0100, Matthew Seaman wrote:
> Date: Sat, 09 Jul 2011 09:14:21 +0100
> From: Matthew Seaman <m.seaman at infracaninophile.co.uk>
> Subject: Re: DNS and file system messed up...
> To: Gary Kline <kline at thought.org>
> CC: freebsd-questions at freebsd.org
>
> On 08/07/2011 23:04, Gary Kline wrote:
> > On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote:
> >> Date: Fri, 08 Jul 2011 10:01:45 +0100
> >> From: Matthew Seaman <m.seaman at infracaninophile.co.uk>
> >> Subject: Re: DNS and file system messed up...
> >> To: freebsd-questions at freebsd.org
> >>
> >> On 08/07/2011 08:25, Doug Hardie wrote:
> >>> On 7 July 2011, at 22:58, Gary Kline wrote:
> >>>
> >>>>>>> Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found
> >>>>>>> Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf
> >>
> >>> The first one that fails is looking for /etc/named.conf. The second
> >>> one shows its in /var/named/etc/named/named.conf
> >>
> >>> Those are different locations. I suspect you have named_flags setup
> >>> in rc.conf pointing to /etc/namedb/named.conf rather than the right
> >>> location. Its also possible that its not set in rc.conf but defaults
> >>> in either the rc script or /etc/rc.d/named. On my system it appears
> >>> to default in /etc/rc.d/named.
> >>
> >> FreeBSD defaults to running named chrooted. /etc/namedb is actually a
> >> symbolic link:
> >
> >
> > hi matthew,
> >
> > i found an in-depth post you wrote re mtree yesterday ( 07july ),
> > but i figured it was over my head in resetting anything i might need
> > to reset. i was going to write you offlist. decided to ask the
> > entire list.
> >
> >
> >>
> >> % ls -la /etc/namedb
> >> lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ ->
> >> /var/named/etc/namedb
> >>
> >> so the files referenced are in fact exactly the same file. However, the
> >> flags from the log extract don't look like the defaults to me. (I'm
> >> running the dns/bind98 port, and the equivalent info from the log line
> >> is '-t /var/named -u bind')
> >
> >
> > i was using bind98 rather than the earlier bind9 which is out of
> > date. but bind98 gave me troubles with the rndc.key and other, so i
> > chose to go back with what worked. --first thing is to get this
> > working with the older bind9. FWIW, both bind9's given me the same
> > error and failure. i have walked thru the named script to the point
> > where it creates the symlink. regardless, i cannot understand the
> > error and failure messages. i only know that my kill -9 and my
> > initialization "by hand" work.
> >>
> >> Gary, what named related settings do you have in /etc/rc.conf? You
> >> almost certainly don't need anything more than:
> >>
> >> named_enable="YES"
> >>
> >> and perhaps
> >>
> >> syslogd_flags="-ss -l /var/named/var/run/log"
> >>
> >> so named can log to the system syslog.
> >
> >
> > Hmmm [&c]. as you may have seen in my post to Doug H. i only have
> >
> >
> > --
> >
> > named_enable="YES"
> > named_program="/usr/local/sbin/named"
> > named_pidfile="/var/run/named/pid"
>
> OK. The good news is that the configuration that works for the system
> built-in version of named will work for the dns/bind98 port with very
> minor changes, if any.
>
> First: where everything should live
>
> /etc/namedb/named.conf --- named's config file
> /etc/namedb/master --- zone files this server is master for
> /etc/namedb/slave --- zone files this server slaves from
> another master (rw by named)
> /etc/named/working --- named's working directory (rw by named)
> /etc/rndc.conf --- config file for rndc
>
> There are various other files and directories under /etc/namedb which
> you may or may not need depending on how you configure named; in any
> case, just leave them in their default locations and with the
> permissions the system gives them. (You can use mtree(8) to fix them up
> if necessary -- but that's a whole other posting)
>
> Now, although named defaults to running chrooted into /var/namedb, you
> don't need to mention that path explicitly anywhere in the config. In
> fact, you should think about the configuration as if there was no
> chrooting happening at all.
>
> Second: rc.conf settings
>
> named_enable="YES"
> syslogd_flags="-ss -l /var/named/var/run/log"
>
> should be all you need to use the built-in version of named.
>
> Third: rndc configuration
>
> Generate a new rndc key and a config file by:
>
> # rndc-confgen > /etc/named/rndc.conf
>
> This should create a new file /etc/namedb/rndc.conf preconfigured to
> work with the named instance on the localhost. Look at the text of
> the file -- commented out there's a chunk of stuff to copy into
> named.conf So let's do that.
>
> If the file contains:
>
> # key "rndc-key" {
> # algorithm hmac-md5;
> # secret "0ABCDE123+45+67890==";
> # };
> #
> # controls {
> # inet 127.0.0.1 port 953
> # allow { 127.0.0.1; } keys { "rndc-key"; };
> # };
>
> Then copy that without the '#' quotes into named.conf In fact, I find
> it helps to add a control for access to ::1 as well. So add this text
> to /etc/namedb/named.conf:
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "0ABCDE123+45+67890==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> inet ::1 port 953
> allow { ::1; } keys { "rndc-key"; };
> };
>
> Fourth: set up named.conf
>
> As I don't no much about the config you want, I'm going to have to keep
> this to generalities.
>
> In the options section you should have some standard boiler-plate:
>
> options {
> directory "/etc/namedb/working";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> memstatistics-file "/var/stats/named.memstats";
>
> For security purposes you can turn off named's built-in version display etc.
>
> version none;
> hostname none;
> server-id none;
>
> Also for security purposes, configure named to use as many UDP ports as
> possible:
>
> use-v4-udp-ports { range 1024 65535; };
> use-v6-udp-ports { range 1024 65535; };
>
> There's a bunch of other stuff I could talk about to go into options,
> but that's a matter of individual choice and this message is long enough
> already. One of the more important things I'm glossing over is the
> 'recursion' setting -- this needs to be carefully restricted to only
> being available to your own network, as there are plenty of nasty
> attacks that are enabled by opening recursion to the world.
>
> When it comes to zone file statements, on slight gotcha is that you
> should give /absolute/ filenames -- that's a consequence of the
> 'directory' setting above. Remember the bit about pretending that
> chrooting isn't happening? It applies here. So, for instance,
> you'ld want something like this for localhost:
>
> zone "localhost"
> {
> type master;
> file "/etc/namedb/master/localhost-forward";
> };
> zone "127.in-addr.arpa"
> {
> type master;
> file "/etc/namedb/master/localhost-reverse";
> };
>
> // RFC 1912-style zone for IPv6 localhost address
> zone "0.ip6.arpa"
> {
> type master;
> file "/etc/namedb/master/localhost-reverse";
> };
>
> Those zone files should be present as part of the standard system.
> Note: you can use ACLs and/or views to control access to these localhost
> zones. It's only your local trusted clients that need any access.
>
> For zones that you are serving to the general public -- ie. the zones
> you are authoritative for, you'ld have something like this:
>
> zone "infracaninophile.co.uk" {
> type master;
> file "/etc/namedb/master/infracaninophile.co.uk";
> allow-query {
> any;
> };
> allow-transfer {
> secondaries;
> };
> };
>
> Fifth: testing
>
> Use named-checkconf to test that your config is going to work:
>
> # named-checkconf /etc/namedb/named.conf && echo "Everything is OK"
>
> If named-checkconf prints anything out, that's a problem which needs to
> be fixed. named-checkconf remaining silent is a good sign.
>
> Sixth: start named up
>
> # /etc/rc.d/named start
>
> Look at the logging output in /var/log/messages to check everything is
> running OK, and test that rndc works by 'rndc status'
>
> Seventh: there is no seventh.
>
> Well, actually, changes you would need to make to use the dns/bind98
> port. Very few.
>
> Check that /usr/local/etc/rndc.conf is a symlink to /etc/named/rndc.conf
> -- this should be created automatically when you install the port.
>
> Use /usr/local/sbin/named-checkconf to verify that your named.conf is OK
> with the newer named version. Unless you're using DNSSEC it almost
> certainly will be.
>
> Stop named running and add
>
> named_program="/usr/local/sbin/named"
>
> to /etc/rc.conf Restart named. Done.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
>
Matthew,
Adding the new rndc.conf (and adjusting for the two "options
{
}"
seems to have fixed things. From the messages file, where
before, an individual shell script got things going, looks
like so:
Jul 9 12:32:44 ethic named[14181]: starting BIND 9.3.6-P1 -c
/etc/namedb/named.conf -t /var/named -u bind
Jul 9 12:32:44 ethic named[14181]: /etc/namedb/named.conf:107:
'options' redefined near 'options'
Jul 9 12:32:44 ethic named[14181]: loading configuration: already
exists
Jul 9 12:32:44 ethic named[14181]: exiting (due to fatal error)
Jul 9 12:34:32 ethic named[14264]: starting BIND 9.3.6-P1 -c
/etc/namedb/named.conf -t /var/named -u bind
Jul 9 12:34:33 ethic named[14264]: command channel listening on
127.0.0.1#953
Jul 9 12:34:33 ethic named[14264]: the working directory is not
writable
Jul 9 12:34:33 ethic named[14264]: running
The pid 14181 was with the options{} that rndc.conf had.
There was an earlier bracketed list with the same name.
Once I yanked that and fired off /etc/rc.d/named restart,
the pid == 14264 actually worked.
Bear in mind that I'm used FBSD as my server and Ubuntu as
my desktop. ...I'Ll attach/append my amed.conf and if you
have time I would be very grateful for any feedback you care
to offer, time permitting. --For my next trick, I'll build
bind98 and see what breaks. . There were a boatload of
error haveing to do with some type of key information. bing98
listed the key number in /var/log/messages. That was why I went
back to my elderly [and outdated bind9-3.6.
DO I=1, ZILLION
write "thanks much!
END
gary
Attached: ./named.conf
// $FreeBSD: src/etc/namedb/named.conf,v 1.26 2007/08/17 04:37:02 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
acl "thoughts" {
10.47.0.0/24; # network addresses of thought.org
10.47.47.0/24; # inbound remote vpn network
127.0.0.1; # allow loop back
};
//
// Access Control Lists
//
acl "dfwlp" {
192.168.125.0/24; # Jonathan Horne's Network (DFW)
};
acl "daniel bye" {
69.55.236.116/24; # Daniel Bye's Network (N. England)
};
acl "puck.nether.net" {
204.42.254.5; # Chicago Secondary IP;
};
//acl "twisted4life.com" {
////202.157.182.142; # Net Secondary IP;
//};
acl "ns2.afraid.org" {
174.37.196.55; # FreeDNS Site.
};
options {
directory "/etc/namedb"; # try again; this must be this, obviously
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on { 10.47.0.230; 127.0.0.1; };
allow-transfer { any;};
};
view "internal" {
match-clients { thoughts; dfwlp; };
recursion yes;
allow-transfer { any; };
#also-notify { 192.168.125.61; 192.168.125.52; };
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "thought.org" {
type master;
file "master/thought.org.i.hosts";
notify yes;
};
zone "0.47.10.in-addr.arpa" {
type master;
file "/etc/namedb/master/10.47.0.i.rev";
notify yes;
};
zone "anacondabuilders.us" {
type master;
file "/etc/namedb/master/anacondabuilders.us.i.hosts";
notify yes;
};
};
view "external" {
match-clients { any; };
recursion no;
zone "thought.org" {
type master;
file "/etc/namedb/master/thought.org.e.hosts";
allow-transfer { any;};
notify yes;
};
zone "213.180.209.in-addr.arpa" {
type master;
file "/etc/namedb/master/213.180.209.e.rev";
allow-transfer {any;};
notify yes;
};
zone "anacondabuilders.us" {
type master;
file "/etc/namedb/master/anacondabuilders.us.e.hosts";
allow-transfer { any; };
notify yes;
};
};
# Start of rndc.conf {09 july 11}
key "rndc-key" {
algorithm hmac-md5;
secret "oQlBFUkww47vpieGZ68DcA==";
};
###options {
###default-key "rndc-key";
###default-server 127.0.0.1;
###default-port 953;
###};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
More information about the freebsd-questions
mailing list