Shulou(Shulou.com)06/01 Report--

On the dns password problem analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

I have been looking for DNS configuration, but a lot of information is out of date, especially about KEY and RNDC. The document used this time is an article on this site: "the configuration of BIND9". To do only this part is to make a mistake:

The main problem encountered in bind9.1.1 is that ndc can not use. NDC can control the stop,start,reload of bind locally.

In 9.1.0 and above, ndc was cancelled and replaced by rndc. As the name implies, rndc is a ndc that supports remote control, which must use a password to communicate with bind.

Rndc has been unable to work, transferred for more than 1 day, finally settled, poor English killed people ah. Let's take Red Hat 7.0 as an example to introduce the process.

The specific compilation and installation process will not be written here, please refer to the bind8 documentation.

The password is put in / etc/rndc.conf. The methods are as follows:

Use dnssec-keygen to generate a password. Use the following command:

Dns-keygen-a hmac-md5-b 192-n HOST rndc

Generate 2 files Krndc.xxxx.key and Krndc.xxxx.private

Copy a key string in Kmykey.xxxx.private. Make the following 1 section

Key "mykey" {

Algorithm "hmac-md5"

Secret "I+JTxIv4gmczZmTIrQCjOAqkIK1SeWHY"

}

Put it at the end of the etc/rndc.conf and / etc/named.conf files, respectively.

Call in rndc.conf as follows:

Server localhost {

Key "mykey"

}

Call in named.conf as follows:

Controls {

Inet 127.0.0.1 allow {localhost;} keys {"mykey";}

}

Then restart the named process

Carry out rndc reload test.

Rndc: reload command successful!

Named.conf and rndc.conf post below!

Named.conf and rndc.conf

The rndc.conf is as follows:

/ *

* Copyright (C) 2000, 2001 Internet Software Consortium.

*

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

* copyright notice and this permission notice appear in all copies.

*

* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM

* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL

* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT

* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING

* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT

* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION

* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

, /

/ * $Id: rndc.conf,v 1.6.4.1 22:32:57 on 2001-01-09 bwelling Exp $* /

/ *

* Sample rndc configuration file.

, /

Options {

Default-server localhost

Default-key "key"

}

Server localhost {

Key "mykey"

}

Key "mykey" {

Algorithm "hmac-md5"

Secret "I+JTxIv4gmczZmTIrQCjOAqkIK1SeWHY"

}

The named.conf is as follows:

/ / generated by named-bootconf.pl

Options {

Directory "/ var/named"

/ *

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below. Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

, /

/ / query-source address * port 53

}

/ /

/ / a caching only nameserver config

/ /

Controls {

Inet 127.0.0.1 allow {localhost;} keys {"mykey";}

}

Zone "." IN {

Type hint

File "named.ca"

}

Zone "localhost" IN {

Type master

File "localhost.zone"

Allow-update {none;}

}

Zone "0.0.127.in-addr.arpa" IN {

Type master

File "named.local"

Allow-update {none;}

}

Include "/ etc/rndc.key"

Key "mykey" {

Algorithm "hmac-md5"

Secret "I+JTxIv4gmczZmTIrQCjOAqkIK1SeWHY"

}

problem!

In the process of generating KEY, I found that the KEY generated on this machine is different from the text (see when using the command), but can not find the two files generated, search also crashed, and please tell me: is it generated by this machine, or just use the text on the line? If it is generated locally, where should I find it?

My goal is only to be able to use rndc properly!

Such as the title

Re: there are no experts to talk about? "empty"

Re: ask dns! There is a question about the password!

The method used in the BIND 9 configuration article should be correct, and the problem may lie in the inconsistency between your application environment and the environment in the article, so it is recommended that you describe the specific environment in which you configure.

Hello, brother riser!

Hello, brother riser! I do DNS on RH7.2, and the rest is no different. If I say anything else, I really can't say, but that's the question:

In the process of generating KEY, I found that the KEY generated on this machine is different from the text (see when using the command), but can not find the two files generated, search also crashed, and please tell me: is it generated by this machine, or just use the text on the line? If it is generated locally, where should I find it?

Would you please answer one by the way? Thank you!

Brother riser, please look!

Should be in the current directory, for example, / root

Although I found this file, I have experimented with Ninten10 following the method on the forum and the doc method of redhat. There is no success. Some time ago, there was an authentication error, but now I use RH7.3, but it is connect refused. So I downloaded BIND9.2.1, compiled and installed it myself, and tried again, but it still didn't work, why?

But I found a strange phenomenon that I used

# named-u named starts named, domain name service starts, and then rndc reload goes by without any hint. When I kill named and then use rndc reload, connect refuse appears again.

Now that you can start the domain name service with named-u named, what is the use of rndc and how to ensure its security? I feel like I don't have permission to use the configuration file with rndc reload, but I'm root.

Why? Ask Brother riser and other experts to give us advice.

Re: dude riser, please look!

Response:

But I found a strange phenomenon that I used

# named-u named starts named, domain name service starts, and then rndc reload goes by without any hint. When I kill named and then use rndc reload, connect refuse appears again.

Now that you can start the domain name service with named-u named, what is the use of rndc and how to ensure its security? I feel like I don't have permission to use the configuration file with rndc reload, but I'm root.

1. Rndc can only implement reload, stop, dumpdb, status and other functions. You will be prompted to do this simply by typing the rndc command.

2. Since you have given named to kill, why talk about rndc reload? Connection refused, of course. Rndc is just a convenient tool for manipulating named, just like ndc, except with a security authentication and the ability to operate remotely.

I succeeded once according to the method in the previous post. I advise you to check it carefully again.

Reply to Brother Yan Shisheng by the way, pay attention to the red part:

, /

Options {

Default-server localhost

Default-key "key"

}

Server localhost {

Key "mykey"

}

Key "mykey" {

Algorithm "hmac-md5"

Secret "I+JTxIv4gmczZmTIrQCjOAqkIK1SeWHY"

}

Since mykey is defined below, why is it still key above?

Re: Hello, brother riser!

If you are using RH 7.2, there is something wrong with its default configuration, mainly due to the inconsistent definition of key in its default installed configuration file, which you can see by examining the configuration file carefully. Therefore, rndc can be used normally as long as it is modified to make it consistent.

But I have modified it to be consistent. I just seem to see a rndc.key file. There are some things in it. Should I use it?

But I have modified it to be consistent. I just seem to see a rndc.key file. There are some things in it. Should I use it?

I really admire my brother's carefulness, but this point is not mentioned in the article, so

Little brother is really handsome, because under the WIN, immediately offline to try, thank you!

The problem has been solved, but I am not careful, please everyone!

The problem has been solved, but I am not careful, please everyone!

But, but!

But you have absolutely no idea, it can already be used, but turn it off and then turn it on, the connection is rejected again, just like last time, I didn't do anything, I just restarted the machine, what should I do?

Re: but, but!

Ps-A | grep named

Check to see if named is up. If not, use

/ etc/rc.d/init.d/named start

Start it and try again.

If this is still the case after you wake up, carefully examine the configuration files, including / etc/named.conf, / etc/rndc.conf.

In addition, in fact, if only so that rndc can be used, you just need to change your original default / etc/named.conf, / etc/rndc.conf used in the name of key all changed to rndckey, and then check the / etc/ directory to see if there is a / etc/rndckey file can work, very simple, security does not require you to generate your own key.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.