Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Jul 2011 13:05:51 -0700
From:      Gary Kline <kline@thought.org>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: DNS and file system messed up...
Message-ID:  <20110709200551.GB3798@thought.org>
In-Reply-To: <4E180DDD.1020505@infracaninophile.co.uk>
References:  <20110707180041.GA90387@thought.org> <20110708055837.GA21564@thought.org> <CDA23F69-BA47-4D83-856E-1DE15F135243@lafn.org> <4E16C779.6000607@infracaninophile.co.uk> <20110708220452.GB26712@thought.org> <4E180DDD.1020505@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 09, 2011 at 09:14:21AM +0100, Matthew Seaman wrote:
> Date: Sat, 09 Jul 2011 09:14:21 +0100
> From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
> Subject: Re: DNS and file system messed up...
> To: Gary Kline <kline@thought.org>
> CC: freebsd-questions@freebsd.org
> 
> On 08/07/2011 23:04, Gary Kline wrote:
> > On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote:
> >> Date: Fri, 08 Jul 2011 10:01:45 +0100
> >> From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
> >> Subject: Re: DNS and file system messed up...
> >> To: freebsd-questions@freebsd.org
> >>
> >> On 08/07/2011 08:25, Doug Hardie wrote:
> >>> On 7 July 2011, at 22:58, Gary Kline wrote:
> >>>
> >>>>>>> Jul  7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found
> >>>>>>> Jul  7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf
> >>
> >>> The first one that fails is looking for /etc/named.conf.  The second
> >>> one shows its in /var/named/etc/named/named.conf
> >>
> >>> Those are different locations.  I suspect you have named_flags setup
> >>> in rc.conf pointing to /etc/namedb/named.conf rather than the right
> >>> location.  Its also possible that its not set in rc.conf but defaults
> >>> in either the rc script or /etc/rc.d/named.  On my system it appears
> >>> to default in /etc/rc.d/named.
> >>
> >> FreeBSD defaults to running named chrooted.  /etc/namedb is actually a
> >> symbolic link:
> > 
> > 
> > hi matthew,
> > 
> > i found an in-depth post you wrote re mtree yesterday ( 07july ),
> > but i figured it was over my head in resetting anything i might need
> > to reset.  i was going to write you offlist.  decided to ask the
> > entire list.
> > 
> > 
> >>
> >> % ls -la /etc/namedb
> >> lrwxr-xr-x  1 root  wheel  21 Jul  6 06:24 /etc/namedb@ ->
> >> /var/named/etc/namedb
> >>
> >> so the files referenced are in fact exactly the same file.  However, the
> >> flags from the log extract don't look like the defaults to me.  (I'm
> >> running the dns/bind98 port, and the equivalent info from the log line
> >> is '-t /var/named -u bind')
> > 
> > 
> > i was using bind98 rather than the earlier bind9 which is out of
> > date.  but bind98 gave me troubles with the rndc.key and other, so i
> > chose to go back  with what worked.  --first thing is to get this
> > working with the older bind9.  FWIW, both bind9's  given me the same 
> > error and failure.  i have walked thru the named script to the point
> > where it creates the symlink.  regardless, i cannot understand the
> > error and failure messages.  i only know that my kill -9 and my 
> > initialization "by hand" work.  
> >>
> >> Gary, what named related settings do you have in /etc/rc.conf?  You
> >> almost certainly don't need anything more than:
> >>
> >> named_enable="YES"
> >>
> >> and perhaps
> >>
> >> syslogd_flags="-ss -l /var/named/var/run/log"
> >>
> >> so named can log to the system syslog.
> > 
> > 
> > Hmmm [&c].  as you may have seen in my post to Doug H. i only have 
> > 
> > 
> > --
> > 
> > named_enable="YES"
> > named_program="/usr/local/sbin/named"
> > named_pidfile="/var/run/named/pid"
> 
> OK.  The good news is that the configuration that works for the system
> built-in version of named will work for the dns/bind98 port with very
> minor changes, if any.
> 
> First:  where everything should live
> 
>    /etc/namedb/named.conf --- named's config file
>    /etc/namedb/master     --- zone files this server is master for
>    /etc/namedb/slave      --- zone files this server slaves from
>                               another master (rw by named)
>    /etc/named/working     --- named's working directory (rw by named)
>    /etc/rndc.conf         --- config file for rndc
> 
> There are various other files and directories under /etc/namedb which
> you may or may not need depending on how you configure named; in any
> case, just leave them in their default locations and with the
> permissions the system gives them.  (You can use mtree(8) to fix them up
> if necessary -- but that's a whole other posting)
> 
> Now, although named defaults to running chrooted into /var/namedb, you
> don't need to mention that path explicitly anywhere in the config.  In
> fact, you should think about the configuration as if there was no
> chrooting happening at all.
> 
> Second: rc.conf settings
> 
>   named_enable="YES"
>   syslogd_flags="-ss -l /var/named/var/run/log"
> 
> should be all you need to use the built-in version of named.
> 
> Third: rndc configuration
> 
>   Generate a new rndc key and a config file by:
> 
>    # rndc-confgen > /etc/named/rndc.conf
> 
> This should create a new file /etc/namedb/rndc.conf preconfigured to
> work with the named instance on the localhost.  Look at the text of
> the file -- commented out there's a chunk of stuff to copy into
> named.conf  So let's do that.
> 
> If the file contains:
> 
> # key "rndc-key" {
> # 	algorithm hmac-md5;
> # 	secret "0ABCDE123+45+67890==";
> # };
> #
> # controls {
> # 	inet 127.0.0.1 port 953
> # 		allow { 127.0.0.1; } keys { "rndc-key"; };
> # };
> 
> Then copy that without the '#' quotes into named.conf  In fact, I find
> it helps to add a control for access to ::1 as well.  So add this text
> to /etc/namedb/named.conf:
> 
> key "rndc-key" {
>     algorithm hmac-md5;
>     secret "0ABCDE123+45+67890==";
> };
> 
> controls {
>     inet 127.0.0.1 port 953
>         allow { 127.0.0.1; } keys { "rndc-key"; };
>     inet ::1 port 953
>         allow { ::1; } keys { "rndc-key"; };
> };
> 
> Fourth: set up named.conf
> 
> As I don't no much about the config you want, I'm going to have to keep
> this to generalities.
> 
> In the options section you should have some standard boiler-plate:
> 
> options {
>     directory           "/etc/namedb/working";
>     pid-file            "/var/run/named/pid";
>     dump-file           "/var/dump/named_dump.db";
>     statistics-file     "/var/stats/named.stats";
>     memstatistics-file  "/var/stats/named.memstats";
> 
> For security purposes you can turn off named's built-in version display etc.
> 
>     version             none;
>     hostname            none;
>     server-id           none;
> 
> Also for security purposes, configure named to use as many UDP ports as
> possible:
> 
>     use-v4-udp-ports   { range 1024 65535; };
>     use-v6-udp-ports   { range 1024 65535; };
> 
> There's a bunch of other stuff I could talk about to go into options,
> but that's a matter of individual choice and this message is long enough
> already.  One of the more important things I'm glossing over is the
> 'recursion' setting -- this needs to be carefully restricted to only
> being available to your own network, as there are plenty of nasty
> attacks that are enabled by opening recursion to the world.
> 
> When it comes to zone file statements, on slight gotcha is that you
> should give /absolute/ filenames -- that's a consequence of the
> 'directory' setting above.  Remember the bit about pretending that
> chrooting isn't happening? It applies here.  So, for instance,
> you'ld want something like this for localhost:
> 
>     zone "localhost"
>     {
>         type master;
>         file "/etc/namedb/master/localhost-forward";
>     };
>     zone "127.in-addr.arpa"
>     {
>         type master;
>         file "/etc/namedb/master/localhost-reverse";
>     };
> 
>     // RFC 1912-style zone for IPv6 localhost address
>     zone "0.ip6.arpa"
>     {
>         type master;
>         file "/etc/namedb/master/localhost-reverse";
>     };
> 
> Those zone files should be present as part of the standard system.
> Note: you can use ACLs and/or views to control access to these localhost
> zones.  It's only your local trusted clients that need any access.
> 
> For zones that you are serving to the general public -- ie. the zones
> you are authoritative for, you'ld have something like this:
> 
>     zone "infracaninophile.co.uk" {
>         type master;
>         file "/etc/namedb/master/infracaninophile.co.uk";
>         allow-query {
>             any;
>         };
>         allow-transfer {
>             secondaries;
>         };
>     };
> 
> Fifth: testing
> 
> Use named-checkconf to test that your config is going to work:
> 
>     # named-checkconf /etc/namedb/named.conf && echo "Everything is OK"
> 
> If named-checkconf prints anything out, that's a problem which needs to
> be fixed.  named-checkconf remaining silent is a good sign.
> 
> Sixth: start named up
> 
>     # /etc/rc.d/named start
> 
> Look at the logging output in /var/log/messages to check everything is
> running OK, and test that rndc works by 'rndc status'
> 
> Seventh: there is no seventh.
> 
> Well, actually, changes you would need to make to use the dns/bind98
> port.  Very few.
> 
> Check that /usr/local/etc/rndc.conf is a symlink to /etc/named/rndc.conf
> -- this should be created automatically when you install the port.
> 
> Use /usr/local/sbin/named-checkconf to verify that your named.conf is OK
> with the newer named version.  Unless you're using DNSSEC it almost
> certainly will be.
> 
> Stop named running and add
> 
>    named_program="/usr/local/sbin/named"
> 
> to /etc/rc.conf  Restart named.  Done.
> 
> 	Cheers,
> 
> 	Matthew
> 
> -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW
> 


	Matthew, 

	Adding the new rndc.conf (and adjusting for the two "options
	{
	}"
	seems to have fixed things.  From the messages file, where
	before, an individual shell script got things going, looks
	like so:


Jul  9 12:32:44 ethic named[14181]: starting BIND 9.3.6-P1 -c
/etc/namedb/named.conf -t /var/named -u bind
Jul  9 12:32:44 ethic named[14181]: /etc/namedb/named.conf:107:
'options' redefined near 'options'
Jul  9 12:32:44 ethic named[14181]: loading configuration: already
exists
Jul  9 12:32:44 ethic named[14181]: exiting (due to fatal error)
Jul  9 12:34:32 ethic named[14264]: starting BIND 9.3.6-P1 -c
/etc/namedb/named.conf -t /var/named -u bind
Jul  9 12:34:33 ethic named[14264]: command channel listening on
127.0.0.1#953
Jul  9 12:34:33 ethic named[14264]: the working directory is not
writable
Jul  9 12:34:33 ethic named[14264]: running

	The pid 14181 was with the options{} that rndc.conf had.
	There was an earlier bracketed list with the same name.
	Once I yanked that and fired off /etc/rc.d/named restart,
	the pid == 14264 actually worked.  

	Bear in mind that I'm used FBSD as my server and Ubuntu as
	my desktop.  ...I'Ll attach/append my amed.conf and if you
	have time I would be very grateful for any feedback you care
	to offer, time permitting.  --For my next trick, I'll build
	bind98 and see what breaks.  . There were a boatload of
	error haveing to do with some type of key information.  bing98
	listed the key number in /var/log/messages.   That was why I went
	back to my elderly [and outdated bind9-3.6.

DO I=1, ZILLION
	write "thanks much!
END

	gary

	Attached: ./named.conf




// $FreeBSD: src/etc/namedb/named.conf,v 1.26 2007/08/17 04:37:02 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

acl "thoughts" {
        10.47.0.0/24;		# network addresses of thought.org
        10.47.47.0/24;		# inbound remote vpn network
        127.0.0.1;		# allow loop back
};

//
// Access Control Lists
//
acl "dfwlp" {
        192.168.125.0/24;    # Jonathan Horne's Network  (DFW)
};
acl "daniel bye" {
        69.55.236.116/24;    # Daniel Bye's Network      (N. England)
};

acl "puck.nether.net" {
	204.42.254.5;       #  Chicago Secondary IP;
};
//acl "twisted4life.com" {
	////202.157.182.142;       # Net Secondary IP;
//};

acl "ns2.afraid.org" {
	174.37.196.55;       # FreeDNS Site.
};

options {
        directory       "/etc/namedb"; # try again; this must be this, obviously
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       { 10.47.0.230; 127.0.0.1; };
        allow-transfer { any;}; 
};
view "internal" {
        match-clients { thoughts; dfwlp; };
        recursion yes;
        allow-transfer { any; };
        #also-notify { 192.168.125.61; 192.168.125.52; };
        zone "." {
                type hint;
                file "named.root";
        };
        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "master/localhost.rev";
        };
        zone "thought.org" {
                type master;
                file "master/thought.org.i.hosts";
                notify yes;
                };
        zone "0.47.10.in-addr.arpa" {
                type master;
                file "/etc/namedb/master/10.47.0.i.rev";
                notify yes;
                };
        zone "anacondabuilders.us" {
                type master;
                file "/etc/namedb/master/anacondabuilders.us.i.hosts";
                notify yes;
                };
};
view "external" {
        match-clients { any; };
        recursion no;
        zone "thought.org" {
                type master;
                file "/etc/namedb/master/thought.org.e.hosts";
        	allow-transfer { any;}; 
                notify yes;
                };
        zone "213.180.209.in-addr.arpa" {
                type master;
                file "/etc/namedb/master/213.180.209.e.rev";
                allow-transfer {any;};
                notify yes;
                };

	zone "anacondabuilders.us" {
                type master;
                file "/etc/namedb/master/anacondabuilders.us.e.hosts";
                allow-transfer { any;  };
                notify yes;
		};
};


# Start of rndc.conf  {09 july 11}
key "rndc-key" {
	algorithm hmac-md5;
	secret "oQlBFUkww47vpieGZ68DcA==";
};

###options {
	###default-key "rndc-key";
	###default-server 127.0.0.1;
	###default-port 953;
###};
controls {
	inet 127.0.0.1 port 953
		allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110709200551.GB3798>