[Samba] Switching from Internal DNS to Bind9_DLZ

Wed Jan 3 18:39:53 UTC 2018

On 1/2/2018 7:41 PM, lingpanda101 wrote:
> On 1/2/2018 4:05 PM, Rowland Penny wrote:
>> On Tue, 2 Jan 2018 15:52:57 -0500
>> lingpanda101 <lingpanda101 at gmail.com> wrote:
>>
>>> On 1/2/2018 3:37 PM, Rowland Penny wrote:
>>>> On Tue, 2 Jan 2018 15:23:18 -0500
>>>> lingpanda101 <lingpanda101 at gmail.com> wrote:
>>>>
>>>>
>>>>> Actually it looks as if Bind isn't running. Though I could've sworn
>>>>> it did at one point.
>>>>>
>>>>> service bind9 restart
>>>>>     * Stopping domain name service... bind9
>>>>>                  rndc: connect failed: 127.0.0.1#953: connection
>>>>> refused [ OK ]
>>>>>     * Starting domain name service... bind9 [fail]
>>>>>
>>>>> Log shows;
>>>>>
>>>>> Jan  2 15:20:51 ddc2 named[2793]:
>>>>> ----------------------------------------------------
>>>>> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
>>>>> Systems Consortium,
>>>>> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit
>>>>> 501(c)(3) public-benefit
>>>>> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and
>>>>> training for BIND 9 are
>>>>> Jan  2 15:20:51 ddc2 named[2793]: available at
>>>>> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
>>>>> ----------------------------------------------------
>>>>> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
>>>>> 4096 to 1048576
>>>>> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker
>>>>> threads Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners
>>>>> per interface Jan  2 15:20:51 ddc2 named[2793]: using up to 4096
>>>>> sockets Jan  2 15:20:51 ddc2 named[2793]: loading configuration
>>>>> from '/etc/bind/named.conf'
>>>>> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
>>>>> 'options' redefined near 'options'
>>>>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
>>>>> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal
>>>>> error)
>>>>>
>>>>> It seems to stem from the issue I had before
>>>>> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
>>>>>
>>>> I reread your earlier post and noticed something I missed earlier,
>>>> do you normally use red-hat ?
>>>> I ask this because you have this line in /etc/bind/named.conf:
>>>>
>>>> include "/etc/bind/named.conf.options";
>>>>
>>>> Followed by:
>>>> # Global Configuration Options
>>>> options {
>>>> .........
>>>> ......
>>>>
>>>>
>>>>
>>>> If this is all in the one file (ala red-hat), then this is your
>>>> problem, debian splits up Bind9 into separate conf files and you
>>>> will have two 'options'
>>>>
>>>> Rowland
>>> I do not. Ubuntu but I do have two CentOS systems.
>>>
>>> The config file was auto-generated when I installed via. apt-get.
>>> This is what it originally contained before I made any modifications.
>>>
>>> // This is the primary configuration file for the BIND DNS server
>>> named. //
>>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>>> on the // structure of BIND configuration files in Debian, *BEFORE*
>>> you customize // this configuration file.
>>> //
>>> // If you are just adding zones, please do that in
>>> /etc/bind/named.conf.local
>>>
>>> include "/etc/bind/named.conf.options";
>>> include "/etc/bind/named.conf.local";
>>> include "/etc/bind/named.conf.default-zones";
>>>
>>> If I comment out these include files, Bind9 starts. However I do
>>> still get
>>>
>>> rndc: connect failed: 127.0.0.1#953: connection refused
>>>
>>> However I'm still getting the TSIG errors.
>>>
>> These are my named.conf files (with any comments stripped out), they
>> have worked for me for the last 5 years ;-)
>>
>> /etc/bind/named.conf
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> /etc/bind/named.conf.options
>>
>> options {
>>          directory "/var/cache/bind";
>>          version "0.0.7";
>>          notify no;
>>          empty-zones-enable no;
>>          allow-query { 127.0.0.1; 192.168.0.0/24; };
>>          allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>>          forwarders { 8.8.8.8; 8.8.4.4; };
>>          allow-transfer { none; };
>>          dnssec-validation no;
>>          dnssec-enable no;
>>          listen-on-v6 { none; };
>>          listen-on port 53 { 192.168.0.7; 127.0.0.1; };
>>
>>          tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> };
>>
>> /etc/bind/named.conf.local
>>
>> include "/usr/local/samba/private/named.conf";
>>
>>
>> /etc/bind/named.conf.default-zones
>>
>> zone "." {
>>          type hint;
>>          file "/etc/bind/db.root";
>> };
>>
>> zone "localhost" {
>>          type master;
>>          file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.255";
>> };
>>
>> Rowland
>
> Splitting up the config files per your template works for me. Bind 
> starts without any errors. Now it's just the TSIG issue now as far as 
> I can tell. Thank you.
>
For completeness sake of this thread, the issue with TSIG disappeared 
after I moved from the internal DNS to bind on the 2nd DC within the site.

-- 
--
James