Bind9 Not Resolving to Root Hints

Issues related to configuring your network
Post Reply
jmashburn-lct
Posts: 1
Joined: 2022/10/04 19:08:55

Bind9 Not Resolving to Root Hints

Post by jmashburn-lct » 2022/10/04 20:07:33

Good day CentOS community! I'm in a pickle and would like some assistance with a bind9 server that I manage. When I first set it up years ago, everything was fine, and it worked perfectly. 1 authoritative server that has 1 slave that gets zone replicated to it. I updated it from CentOS 7 to CentOS Stream 8 a month ago, and now the only way I can get "recursion" to work is be setting up forwarders. It's almost like the server will not forward local zone requests to the root hints.

Here is some of the pertinent information:

OS Version: CentOS Stream release 8
Kernel: 4.18.0-408.el8.x86_64

named.conf of master:

Code: Select all

acl "networks" {
	a bunch of subnets;
};

options {
	listen-on port 53 { 127.0.0.1; <ipv4 of server>; };
	listen-on-v6 port 53 { ::1; <ipv6 of server>; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
	allow-transfer	{ localhost; <slave ip>; };
	allow-recursion	{ localhost; networks; };
	allow-recursion-on	{ localhost; networks; };
        notify          yes;
	recursion yes;

	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

        forwarders { 8.8.8.8; 8.8.4.4; 208.67.221.76; 208.67.223.76; };

};

logging {
        channel default_debug {
                file "data/named.run";
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "1ofmany.com" IN {
	type master;
	file "1ofmany.com";
	allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

named.conf of slave:

Code: Select all

acl "networks" {
	a bunch of subnets;
};

options {
	listen-on port 53 { 127.0.0.1; <ipv4 of server>; };
	listen-on-v6 port 53 { ::1; <ipv6 of server>; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
	allow-recursion	{ localhost; networks; };
	allow-recursion-on	{ localhost; networks; };
        notify          yes;
	recursion yes;

	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

        forwarders { 8.8.8.8; 8.8.4.4; 208.67.221.76; 208.67.223.76; };

};

logging {
        channel default_debug {
                file "data/named.run";
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "1ofmany.com" IN {
	type slave;
	file "slaves/1ofmany.com";
    masters { <ips of master>; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Supporting logs:

Code: Select all

general: warning: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
lame-servers: info: connection refused resolving './NS/IN': 199.7.91.13#53
lame-servers: info: connection refused resolving 'pool.ntp.org/A/IN': 199.7.91.13#53
managed-keys-zone: journal file is out of date: removing journal file
Any assistance would be greatly appreciated.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind9 Not Resolving to Root Hints

Post by TrevorH » 2022/10/04 21:41:17

By "updated it from CentOS 7 to CentOS Stream 8" I hope you mean "I reinstalled from scratch and set everything back up again". There is no supported upgrade process and the resulting attempt is likely to lead to either an unbootable system or one in in state that is unpredictable.

I'd also ask "why Stream?" since it is effectively a beta version of the next version of RHEL and breaks approximately once a week on average. Some breakages more severe than others but still broken. There is only one CentOS release now and that is 7, both Stream's are beta and are no longer what CentOS once was.

I do run a pair of DNS servers at home and one is slaved to the other. That's not on CentOS Stream but on Debian and the versions of bind there are 9.18.7 and 9.16.27 and transfers work fine with exactly the same config that I used when they were on CentOS 7. My /var/named/chroot/etc/named.conf.local looks like this:

Code: Select all

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        managed-keys-directory "/var/named/dynamic";
        masterfile-format text;

        allow-query { internal-net; };
        allow-query-cache { internal-net; };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on { any; };
        listen-on-v6 { any; };
        allow-notify { ip.of.slave; };
        };
And the same file on the slave but with the master ip in allow-notify.

Also check your firewalls to make sure that TCP port 53 is allowed on both.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply