Question Slave DNS Manager not syncing (rndc.key location?)

[Herman Ronk]

I'm trying to set up a slave DNS erver but I keep getting errors when trying to sync to the slave server and the zones are not transfered.

The error on the slave:

21-Oct-2017 14:41:08.329 general: debug 1: zone ***/IN: no database exists yet, requesting AXFR of initial version from ***#53
21-Oct-2017 14:41:08.418 xfer-in: info: transfer of '***/IN' from ***#53: connected using ***#34432
21-Oct-2017 14:41:08.509 xfer-in: error: transfer of '***/IN' from ***#53: failed while receiving responses: SERVFAIL
21-Oct-2017 14:41:08.509 general: debug 1: zone ***/IN: zone transfer finished: SERVFAIL
21-Oct-2017 14:41:08.509 general: debug 1: zone_settimer: zone ***/IN: enter
21-Oct-2017 14:41:08.509 general: debug 1: queue_soa_query: zone ***/IN: enter
21-Oct-2017 14:41:08.509 xfer-in: info: transfer of '***/IN' from ***#53: Transfer status: SERVFAIL
21-Oct-2017 14:41:08.509 xfer-in: info: transfer of '***/IN' from ***#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.090 secs (0 bytes/sec)
21-Oct-2017 14:41:08.737 general: debug 1: soa_query: zone ***/IN: enter
21-Oct-2017 14:41:08.738 general: debug 1: cancel_refresh: zone ***/IN: enter
21-Oct-2017 14:41:08.738 general: debug 1: zone_settimer: zone ***/IN: enter

The incoming and outgoing ip adresses are correct.

The configuration on the slave (named.conf)

options {
        directory "/var/cache/bind";

        auth-nxdomain no;    # conform to RFC1035
        listen-on { any; };
        listen-on-v6 { any; };
        allow-new-zones yes;
    };

key "rndc-key-***" {
  algorithm hmac-md5;
  secret "**";
};

controls {
    inet * port 953 allow { ***; ***; 127.0.0.1; } keys { "rndc-key-***"; };
};

logging{
  channel simple_log {
    file "/var/log/named/bind.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};

The secret is the same as specified in the slave-dns-manager config example:

/*
    Add to named.conf on the remote server (config location depends on the OS of the slave server):
   
    options {
        ...
        allow-new-zones yes;
    };
   
    key "rndc-key-***" {
      algorithm hmac-md5;
      secret "***";
    };
   
    controls {
        inet * port 953 allow { ***; 127.0.0.1; } keys { "rndc-key-***"; };
    };
*/

/*
 SYNOPSIS
   rndc [-b source-address] [-s server] [-p port] [-y key_id] {command} zone [class [view]]
 For example:
   rndc -b *** -s *** -p 953 -y rndc-key refresh example.com IN 
*/

key "rndc-key" {
    algorithm hmac-md5;
    secret "***";
};

And the server is connected correcty according to the webinterface (some logging over there would be nice):



When I check the named.conf file on the Plesk (master) server I see the IP address of the slave in the allowed transfers.

When forcing a resync I see the following in the "/var/log/messages" log:

Oct 21 16:55:36 man named[17744]: reloading configuration succeeded
Oct 21 16:55:36 man named[17744]: reloading zones succeeded
Oct 21 16:55:36 man named[17744]: zone ***/IN: zone serial (1508489703) unchanged. zone may fail to transfer to slaves.
Oct 21 16:55:36 man named[17744]: zone ***/IN: loaded serial 1508489703
Oct 21 16:55:36 man named[17744]: zone ***/IN: sending notifies (serial 1508489703)
Oct 21 16:55:36 man named[17744]: all zones loaded
Oct 21 16:55:36 man named[17744]: running

What could be the problem? The only thing I can think of is the fact that I can't find a rndc.key file on te Plesk (master) server?

The slave is a clean Ubuntu 16.04 LTS server with only Bind running.

Any suggestions about what the problem might be?

 

[IgorG]

The problem may be related to incorrect permissions of zones directory. Unfortunately I can't check it on Ubuntu 16.04 LTS but on my Debain 8 Plesk server I see:

# stat /var/named/run-root/var/
File: ‘/var/named/run-root/var/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 8ac0b631h/2327885361d Inode: 28162 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 103/ bind) Gid: ( 107/ bind)

 

[Herman Ronk]

The permissions on my (plesk) server:

# stat /var/named/chroot/var/
File: ‘/var/named/chroot/var/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd00h/64768d Inode: 10199666 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 25/ named) Gid: ( 25/ named)

So the permissions seem to be correct.

Should there be a rndc.key file on the Plesk server?

 

[Herman Ronk]

I've been looking further into the problem.

When I change the rndc key on the slave the error changes to:

3-Oct-2017 18:04:28.456 general: error: invalid command from 95.170.83.72#44285: bad auth
23-Oct-2017 18:04:30.191 general: error: invalid command from 95.170.83.72#51252: bad auth
23-Oct-2017 18:04:34.519 general: error: invalid command from 95.170.83.72#47275: bad auth

So I assume the key is correct, so I guess the problem will be on the Plesk server. But I trully have no idea of where to look for the source of the problem..

 

[UFHH01]

Hi Herman Ronk,

# stat /var/named/chroot/var/
File: ‘/var/named/chroot/var/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd00h/64768d Inode: 10199666 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 25/ named) Gid: ( 25/ named)

On Ubuntu 16.04.3 LTS‬, I have:

stat /var/named/run-root/var/
  File: '/var/named/run-root/var/'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 902h/2306d      Inode: 22416010    Links: 3
Access: (0755/drwxr-xr-x)  Uid: (  113/    bind)   Gid: (  120/    bind)

How did you install "bind9" on your server?
Which version have you got installed? ( i.e.: apt-cache policy bind9 )


Did you see as well

=> Slave DNS Server​

... for example? It might help you to investigate possible issues.

 

[Herman Ronk]

The installed version:

bind9:
  Installed: 1:9.10.3.dfsg.P4-8ubuntu1.8
  Candidate: 1:9.10.3.dfsg.P4-8ubuntu1.8
  Version table:
 *** 1:9.10.3.dfsg.P4-8ubuntu1.8 500
        500 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.10.3.dfsg.P4-8 500
        500 http://mirrors.digitalocean.com/ubuntu xenial/main amd64 Packages

I followed the instructions as you mentioned (Slave DNS), and even did a complete reinstall of the slave DNS server yesterday evening to make sure no other factors on that server influence the working of the bind installation. I even left the firewall disabled for the moment to make sure connectivity on that end is not a problem.

The Slave DNS is a Ubuntu 16.04.3 LTS installation
The Plesk server is a CentOS Linux release 7.2.1511 (Core)

I suspect the problem to be with the Plesk server since there isn't all that much configured on the slave and I followed the provided instructions to the letter.

nmap master:

Host is up (0.0063s latency).
Other addresses for ***(not scanned): ***
rDNS record for ***
Not shown: 985 filtered ports
PORT     STATE  SERVICE
53/tcp   open   domain
***
***

Nmap done: 1 IP address (1 host up) scanned in 4.49 seconds

nmap slave:

Host is up (0.10s latency).
Other addresses for *** (not scanned): ***
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 15.36 seconds

I would expect the 953 port to be open on the slave, is that a correct assumption? (there is no firewall running, so that would be a problem with the rndc service)

 

[UFHH01]

Hi Herman Ronk,

pls. check, that the keys match at "/etc/bind/rndc.key AND "/etc/bind/named.conf.local".

More informations could be found here:

=> Unable to transfer zone to slave server: zone may fail to transfer to slaves​

 

[Herman Ronk]

The key is in both files the same, and also the same as the config example on the Plesk server (dns-slave-manager)