RNDC setup: WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Nothing major, just a small annoyance for a future bug-fix:

On a fresh Ubuntu 12.04 LTS (running inside a Xen virtual server) with latest Virtualmin PRO or GPL, when re-enabling (by mistake, too quickly reading, as it already was installed and enabled!) RNDC there is a warning on restart of bind:

# service bind9 restart
* Stopping domain name service... bind9
WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
waiting for pid 11749 to die
   ...done.
* Starting domain name service... bind9
   ...done.
#

Removing file /etc/bind/rndc.conf is enough to fix that issue, but it looks like Virtualmin latest does keep that leftover after configuration.

Saw the infos here: http://www.rainingpackets.com/bind-rndc-error-debian-ubuntu/ http://ubuntuforums.org/showthread.php?t=1543750 http://comments.gmane.org/gmane.network.dns.bind.user/40049

I then had:

# rm /etc/bind/rndc.conf
# service bind9 restart
* Stopping domain name service... bind9
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
waiting for pid 23919 to die
   ...done.
* Starting domain name service... bind9
   ...done.
#

I then checked if the keys in /etc/bind/rndc.key and in /etc/bind/named.conf matched, and sure they didn't match, so I stopped bind9, checked that rndc was not running, copied the rndc.key into the named.conf key, and could start and restart named without errors:

# service bind9 start
* Starting domain name service... bind9
   ...done.
# service bind9 restart
* Stopping domain name service... bind9
waiting for pid 27236 to die
   ...done.
* Starting domain name service... bind9
   ...done.
#

All ok with bind on that new server now!

Reference for the solution: http://antono.info/eng/2009/05/15/rndc-connection-issue-resolved http://serverfault.com/questions/141039/bind9-zone-files

(still have an issue on another secondary name server that I need to troubleshoot (where I restored a saved config from a Webmin running on Ubuntu 8.04LTS, now I know that it doesn't save a lot of things and that I have to copy over configs one by one over the web-interface).

Will add to here once i have troubleshooted.

Status: 
Active

Comments

That's odd, as the Virtualmin install doesn't setup RNDC by default.

DId you ever setup RNDC at Webmin -> Servers -> BIND DNS Server -> Setup RNDC ?

That's what happens when I go set it up (thinking that it wasn't setup, and not reading well enough the message saying that it seems already installed just fine).

Looks like Ubuntu 12.04 LTS sets it up (? will check again at next virtual server i'm installing tonight).

But then when Webmin re-sets-it-up, it doesn't take in account the existing rndc.key, and doesn't put the info into rndc.key, and delete the new rndc.conf.

Nothing important imho. The only one i didn't find a workaround for is the fact that i can't set webmin to start automatically at boot.

Side question:

Also what is your recommended way of migrating a secondary DNS server from an old host Ubuntu 8.04LTS to a new host Ubuntu 12.04LTS, while keeping the IP address of the DNS ?

I'm looking at 2 variants:

---> Variant A (i tried it on a secondary DNS already, and ended up with Virtualmin thinking that the bind server is not running, while it's running just fine):

  • Backup in Webmin on old server the BIND DNS server in webmin backup-restore

  • shut server down

  • assign old ip to new server and restart it

  • restore bind settings in webmin backup-restore

---> Variant B:

  • setup the new server as secondary DNS

  • shut down old, reassign old ip to new server

  • remove the server from secondary DNS role on all primaries, and re-add it, to re-sync all domains

After the issues with Variant A, i'm tending to Variant B, but is it enough ?

And is same method B also fine for secondary mail servers ?

Also looking for one server to have the primary DNS server and the mail server separate from the Webserver, still looking where to find the how to. Thought i saw it somewhere but don't find it again.

Many thanks for your help :-)

Would it be possible to get copies of the named.conf , rndc.conf and rncd.key files from a newly installed Ubuntu 12.04 system? Clearly webmin is making some incorrect assumptions about their locations and/or formats ..

As for your secondary DNS question, option B looks best to me. Although you may want to do the removal before shutting down the old server.

Newly installed Ubuntu 12.04LTS server doesn't have bind installed by default. It's Virtualmin which installs that (we let Virtualmin install all the packages it needs directly on a blank new server, then later add missing packages.

Which installs these:

INFO - Installing dependencies using command: /usr/bin/apt-get --config-file apt.conf.noninteractive -y --force-yes install postfix postfix-pcre webmin usermin ruby libapache2-mod-ruby libxml-simple-perl libcrypt-ssleay-perl unzip zip libfcgi-dev bind9 spamassassin spamc procmail libnet-ssleay-perl libpg-perl libdbd-pg-perl libdbd-mysql-perl quota iptables openssl python mailman subversion ruby irb rdoc ri mysql-server mysql-client mysql-common postgresql postgresql-client awstats webalizer dovecot-common dovecot-imapd dovecot-pop3d proftpd libcrypt-ssleay-perl awstats clamav-base clamav-daemon clamav clamav-freshclam clamav-docs clamav-testfiles libapache2-mod-fcgid apache2-suexec-custom scponly apache2 apache2-doc libapache2-svn libsasl2-2 libsasl2-modules sasl2-bin php-pear php5 php5-cgi libgd2-xpm libapache2-mod-php5 php5-mysql

installing just bind9 with:

apt-get install bind9

on a fresh Ubuntu 12.04 LTS server, gives following files:

/etc/bind# ls
bind.keys  db.empty    named.conf.default-zones  zones.rfc1918
db.0       db.local    named.conf.local
db.127     db.root     named.conf.options
db.255     named.conf  rndc.key

There is NO rndc.conf

I'm attaching the requested files of just apt-get install bind9.

Do you also need the files that are there after running the install.sh script of Virtualmin ? or even after the setup wizzard ?

Thanks for plan B hint to remove.

Does Virtualmin support primary DNS virtualmin/webmin which is "slave of main webserver which does not have local primary DNS server but still bind9 installed" ? any URL on howto configure this ? ;) and same questions for "slave virtualmin postfix server" ? ;)

That all looks OK to me.

So when you setup RNDC in Webmin, it should do two things :

  1. Generate the /etc/rndc/rndc.conf file containining something like :
key "rndckey" {
algorithm hmac-md5;
secret "9pFO5Ro5EoGs1QMoNQFpQA==";
};

options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
  1. Add a corresponding block to named.conf with the same key.

Is the real issue that on Ubuntu 12.04, the rndc command actually reads from /etc/bind/rndc.key instead of .conf ?

  1. Yes, virtualmin generates a file that looks like this:
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "qKK5RgG/OjLfKQnUX0jhgQ==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "qKK5RgG/OjLfKQnUX0jhgQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

So looks "half-unfinished".

  1. Yes, that's how I understand it. Ubuntu uses rndc.key. That's also what I understand from the threads I pasted above.

You can check on the test-system i set up for you when you install virtualmin. :-)

So I did some testing, and I think this warning is kind of harmless - Webmin sets up rndc.conf and the rndc command uses that file, but for some reason spits out a warning about rndc.key.

You can verify this by running "rndc reload" and then checking /var/log/syslog for messages from BIND.

Indeed, it seems to still work.

But i was under the impression that in some cases the warning would trigger Virtualmin to see BIND not working properly, as I have the case on another secondary DNS server that i migrated with method of variant A above (and waiting to re-migrate with method of variant B to clean up that bug, and a few others).

I usually like to not have warnings when starting/stopping/restarting services, as automated tools can pick them up, or myself can get worried if i forget about "normal warnings".... :-D

So the warning remains ? ;-)

And my "btw" side-question still remains: ;-) :

Does Virtualmin support a separate primary DNS virtualmin/webmin server from the web server ? one which is "slave of main webserver which does not have local primary DNS server but still bind9 installed" ? any URL on howto configure this ? ;) and same questions for "slave virtualmin primary postfix server" ? ;)

should i open a separate support ticket for that side-question ?

I can't really control the warning, as it is issued (for no good reason in my opinion) by the rndc command. However, deleting the /etc/bind/rndc.key file should fix it..

Regarding your other question, this is not really supported - the primary DNS has to be on the Virtualmin system. However, you don't necessarily have to use the primary in your DNS registration or NS records. This "hidden primary" setup would cause all queries to be served by the slaved.

I think i tried earlier deleting the rndc.key file but bind/rndc didn't like that...

Anyway, as said initially, not a big issue.

Regarding the side-question, first part for DNS: That's what we do now, but then the DNS-records still show as SOA and name-server the web-server. Which then makes check-tools, like the very nice http://www.intodns.com complain about mismatches. So the real question is: can the webserver NOT be listed as SOA and DNS in the DNS replies ?

Regarding the 2nd part of the side-question: is it possible to have for website-domain-related postfix/devcot mail servers installed/managed/clustered (like secondary mail servers already are) on a slave virtualmin/webmin instead of on the webserver ? I remember to have read a howto for that, but i might be confusing it with the setup for mysql on a separate server.

A note on nameserver terminology here, since I'm seeing "primary" and "slave" mixed up.

The term "primary" is usually used when telling the registrar what your nameservers are. There they're called "primary", "secondary" and so on.

"Slave" is used server-side in a master-slave relationship. The master holds the main copy of the zone and makes changes to it. Slaves download the zone from the master.

There is no strict coupling of "primary/secondary" and "master/slave". Any nameserver on your servers can be used in any registrar-side role. So when your master server is not used as an Internet-facing nameserver at the registrar, that's called a "hidden master".

You can configure what nameserver is stated in the SOA record in Virtualmin's Server Templates, section "BIND DNS Domain", entry "Master DNS Server Hostname".

You can completely control the SOA and NS records in Virtualmin, so as to exclude the system running Virtualmin. This can all be done on the server templates page..

Mail processing cannot be offloaded to another system though.

Thanks Jamie,

RNDC warning:

  • can probably be closed as "won't fix".

DNS question:

  • I understand that. :-) i was using the term slave in relation of virtualmin clusters, not for DNSes, sorry for the misunderstanding. For DNSes, it was really about SOA and not listing the web-server:

  • So Many Thanks for the hint to the server template DNS section, will look into that, seems to solve the issue of "stealth NS records" and "Missing nameservers reported by parent by RFC2181 5.4.1)". :-)

Offloaded mail server:

  • Ok, I guess I can then just do following when restoring the few domains which need the webserver+mailserver to split it in 2:

  • restore all web-server related items on new web server

  • restore just the mail-server related items on new mail server

  • fix the missing DNS "hidden master" entries on the server handling the dns (web server or mail server, need to see which is better suited, probably web-server is more flexible for that).

Thanks for the answers and other fixes :-)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment#5 working for me. thank you.