rubysecurity.org

Anecdotes from a Linux Systems Administrator. /root

Home About Books Blog Portfolio Archive
    2 January 2012

    BIND 9.7.3 Gotchas

    by Alpha01

    On my new CentOS 6 powered BIND DNS server, it took a while to figure out why my custom jailed BIND configuration was not able to load any zone data files, even though the zone data files did not had any sort of syntax errors. Of which I verified using the named-checkzone utility.

    Errors

    Dec 29 21:29:04 centos6 named[17311]: etc/db.rubysecurity.org:2: ignoring out-of-zone data (rubysecurity.org)
Dec 29 21:29:04 centos6 named[17311]: etc/db.rubysecurity.org:9: ignoring out-of-zone data (rubysecurity.org)
Dec 29 21:29:04 centos6 named[17311]: etc/db.rubysecurity.org:10: ignoring out-of-zone data (rubysecurity.org)
Dec 29 21:29:04 centos6 named[17311]: etc/db.rubysecurity.org:11: ignoring out-of-zone data (rubysecurity.org)
Dec 29 21:29:04 centos6 named[17311]: etc/db.rubysecurity.org:12: ignoring out-of-zone data (www.rubysecurity.org)
Dec 29 21:29:04 centos6 named[17311]: zone db.rubysecurity.org/IN: has 0 SOA records
Dec 29 21:29:04 centos6 named[17311]: zone db.rubysecurity.org/IN: has no NS records
Dec 29 21:29:04 centos6 named[17311]: zone db.rubysecurity.org/IN: not loaded due to errors.
Dec 29 21:29:04 centos6 named[17311]: etc/db.ubuntu:2: ignoring out-of-zone data (ubuntu)
Dec 29 21:29:04 centos6 named[17311]: zone db.ubuntu/IN: has 0 SOA records
Dec 29 21:29:04 centos6 named[17311]: zone db.ubuntu/IN: not loaded due to errors.

    I came to realize the issue was within my named.conf master config file. Since I’m using BIND 9.7.3 (and newer versions), it turns out that the zone name needs to have a dot (.) at the end of the domain name. This was really annoying since it appears that earlier versions didn’t tagged this an error and were able to load up zone files perfectly fine without the addition of the dot character at the end of the zone file name. Luckily, I was able to fix the issue, which by the way, the named-checkconf utility was not able to detect this problem.

    Broken:

    zone "rubysecurity.org" IN {
        type master;
        file "etc/db.rubysecurity.org";
        allow-update { key rndc-key; };
        allow-query { any; };

};

    Fix

    zone "rubysecurity.org." IN {
        type master;
        file "etc/db.rubysecurity.org";
        allow-update { key rndc-key; };
        allow-query { any; };

};
    Tags: [ bind ]