Board index ‹ Linux ‹ DNS

[chandranjoy]

Why do I see the error 'rndc: connection to remote host closed' when I try to start named?

One possible cause for this error is an incorrectly referenced rndc key. The rndc symmetric encryption key is contained in the /etc/rndc.key. This file is included into the /etc/named.conf bind nameserver and /etc/rndc.conf rndc utility configuration files. Bind and rndc use the rndc key to encrypt their communications.

By default, named.conf references the rndckey within the rndc.key file, as can be seen in this named.conf statement:

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
}

If named cannot find the rndckey in /etc/rndc.key, it will report the error 'rndc: connection to remote host closed'.

When using rndc-confgen -a to create a new rndc key, the new key will be called rndc-key by default. Therefore, the /etc/rndc.key file will need to be edited and the key name changed to rndckey for the sake of named. Likewise the command:

rndc-confgen -a -k rndckey

will give the key the correct name as referenced in named.conf.

Here are some points to keep in mind when setting up named and rndc:

* Ensure that the name of the rndc key referenced in named.conf is the same as the name of the key in /etc/rndc.key. This should berndckey.
* If using a chroot environment, make sure /etc/rndc.key is a soft link to /var/named/chroot/etc/rndc.key.
* Check the permissions and ownership of the rndc.key file. Permissions should be 640 with owner:group of root:named.

[chandranjoy]

Issue 1:
Too many open files on OS
Error:
creating IPv4 interface eth0:cp762 failed; interface ignored
Jul 16 15:08:47 EU1 named[14399]: additionally listening on IPv4 interface eth0:cp763, 94.63.40.184#53
Jul 16 15:08:47 EU1 named[14399]: isc_socket_create: fcntl/reserved: Too many open files
Jul 16 15:08:47 EU1 named[14399]: could not listen on UDP socket: not enough free resources

root@SER[~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 106496
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 106496
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Fix:
Increase the no. of open files from 1024 to 8132

root@SER[~]# ulimit -n 8192

Now ulimit -a output looks as follows.

root@SER [~]# ulimit -a

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 106496
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 8192
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 106496
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited


Issue 2:
named.ca file not found
Jul 16 13:35:29 EU1 named[32684]: creating IPv4 interface eth0:cp975 failed; interface ignored
Jul 16 13:35:29 EU1 named[32684]: could not configure root hints from '/var/named/named.ca': file not found
Jul 16 13:35:29 EU1 named[32684]: additionally listening on IPv4 interface eth0:cp462, 94.63.2.139#53

Fix:
Manually created /var/named/named.ca with root servers info.

#vi /var/named/named.ca
; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:dc3::35

;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE rcvd: 615

#chown root.named /var/named/named.ca

Then,

#chmod 640 /var/named/named.ca

Now start the named(bind) service,

root@SER [~]# /etc/init.d/named start
Starting named: [ OK ]