This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Bind.log ERRORs
#1
Bind.log ERRORs
I been getting this in bind.log
what does this mean pls ?

Quote:11-Feb-2018 10:45:37.243 general: error: managed-keys.bind.jnl: create: permission denied
11-Feb-2018 10:45:37.283 general: error: managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
11-Feb-2018 10:45:37.283 general: error: managed-keys-zone: unable to synchronize managed keys: unexpected error
11-Feb-2018 10:45:37.285 general: notice: all zones loaded
11-Feb-2018 10:45:37.287 general: notice: running
Reply
Thanks given by: liemmayer
#2
RE: Bind.log ERRORs
are you using standard configuration?

Any modification? Package upgrade os such first? What OS are you using here exactly.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by: liemmayer
#3
RE: Bind.log ERRORs
I have seen this before, or similar, it was the file and folder permissions. They were changed somehow from the default.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: liemmayer
#4
RE: Bind.log ERRORs
Not to hijack an old post but it seems i'm having the same issue.

Here's my details.
Centos 7 minimal Install
Sentora 1.0.3 no custom modifications.
Installed as root using the easy installer.

Modules installed
Sentastico
Auto IP Updater
View Site Logs
zGodx
Deleted Record Manager

when running the following line in /etc/sentora/configs,
Code:
$ ls -l

I get the following.

Code:
drwxr-xr-x 2 root root 4096 Sep  6 21:16 apache
drwxr-xr-x 2 root root 4096 Sep  6 21:16 bin
drwxr-xr-x 4 root root 4096 Sep  6 21:17 bind
drwxr-xr-x 2 root root 4096 Sep  6 21:17 cron
drwxr-xr-x 2 root root 4096 Sep  6 21:16 dovecot2
drwxr-xr-x 2 root root 4096 Sep  6 21:17 phpmyadmin
drwxr-xr-x 2 root root 4096 Sep  6 21:16 postfix
drwxr-xr-x 2 root root 4096 Sep  6 21:17 proftpd
drwxr-xr-x 2 root root 4096 Sep  6 21:17 roundcube
drwxr-xr-x 3 root root 4096 Sep  6 21:16 sentora-install
drwxr-xr-x 4 root root 4096 Sep  6 21:16 sentora-update

Looks like all the files in that directory are owned by root. Should I change the bind folder to "named:named" then restart bind?
Reply
Thanks given by: liemmayer
#5
RE: Bind.log ERRORs
(10-20-2018, 06:36 AM)james30263 Wrote: Not to hijack an old post but it seems i'm having the same issue.

Here's my details.
Centos 7 minimal Install
Sentora 1.0.3 no custom modifications.
Installed as root using the easy installer.

Modules installed
Sentastico
Auto IP Updater
View Site Logs
zGodx
Deleted Record Manager

when running the following line in /etc/sentora/configs,
Code:
$ ls -l

I get the following.

Code:
drwxr-xr-x 2 root root 4096 Sep  6 21:16 apache
drwxr-xr-x 2 root root 4096 Sep  6 21:16 bin
drwxr-xr-x 4 root root 4096 Sep  6 21:17 bind
drwxr-xr-x 2 root root 4096 Sep  6 21:17 cron
drwxr-xr-x 2 root root 4096 Sep  6 21:16 dovecot2
drwxr-xr-x 2 root root 4096 Sep  6 21:17 phpmyadmin
drwxr-xr-x 2 root root 4096 Sep  6 21:16 postfix
drwxr-xr-x 2 root root 4096 Sep  6 21:17 proftpd
drwxr-xr-x 2 root root 4096 Sep  6 21:17 roundcube
drwxr-xr-x 3 root root 4096 Sep  6 21:16 sentora-install
drwxr-xr-x 4 root root 4096 Sep  6 21:16 sentora-update

Looks like all the files in that directory are owned by root. Should I change the bind folder to "named:named" then restart bind?

I think this is simpler than first thought.

First, I am on CentOS 7 so cannot say how these commands would differ for another OS, so keep that in mind - I'm not even sure if it's a problem for any other OS, but if it is, perhaps someone wants to check if the procedure is the same or diffferent.

So, on CentOS 7:

When the Sentora installation script installs BIND, it deletes the named.conf that comes with BIND and replaces it with a Sentora version. This is missing an important line that defines a path for "managed keys", but this may be because it is a new config setting that wasn't around when the released Sentora package was last released, back in 2015?

Simply edit the named.conf file (NOT the one in the Sentora directory - that one isn't used by BIND - it's the one that was copied to the etc directory during Sentora's installation that we need to edit):


Code:
vi /etc/named.conf


find this section:


Code:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;


and just below, press "i" to insert and add:


Code:
managed-keys-directory "/var/named/dynamic";


press ESC, type "wq" and hit ENTER to save and exit the file.

This directory we have just specified should already exist and be owned by named as it was created by the BIND installation. There may be a file in it that we need to delete so that it gets created again from new, so run:


Code:
rm -rf /var/named/dynamic/managed-keys.bind.jnl


just to clean it up.

Now restart BIND:


Code:
service named restart


and check your log to see if the error has gone (scroll to the bottom of the log to check the most recent restart):


Code:
vi /var/sentora/logs/bind/bind.log


I believe these settings are related to DNSSEC, and the preconf version of named.conf should probably be updated in the Sentora Installers GitHub repository (and maybe also the rm -rf /var/named/dynamic/managed-keys.bind.jnl command added to the Sentora installation script - I'm not sure if this file exists on a brand new install or not) but I reckon that should fix it.

Remember - you should be editing /etc/named.conf in the commands above, NOT /etc/sentora/configs/bind/named.conf, as the latter is only used on installation for reference for creating the former.

There is probably an alternative solution, which is to turn the DNSSEC options in the named.conf file to "off" and restart the service, but I haven't tested this. In theory, it would stop BIND from needing that directory, so if anyone wants to test this and report back that would be useful Smile

AFAIK the above is all correct information, but if you feel I have made an error please let me know and I'll happily change this post!

Note: I got some of my info from this post, which pointed me in the right direction: https://networking.ringofsaturn.com/Unix/dnssec.php
Reply
Thanks given by: james30263
#6
RE: Bind.log ERRORs
Worked perfect! Thanks, I was editing the wrong bind config file. Now all errors are gone.

Now I only have warnings. I will google this when I have time to see what I can figure out. I would bet it has something to do with me changing IP's on the server. 

Code:
21-Oct-2018 03:27:01.992 security: warning: using built-in DLV key for view _default
21-Oct-2018 04:03:19.561 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 05:03:21.977 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 11:03:29.614 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 17:03:42.632 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
23-Oct-2018 03:04:10.389 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
23-Oct-2018 05:04:15.579 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
24-Oct-2018 22:05:02.886 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
25-Oct-2018 05:05:08.553 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
25-Oct-2018 06:05:11.034 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
Reply
Thanks given by:
#7
RE: Bind.log ERRORs
(10-26-2018, 05:34 AM)james30263 Wrote: Worked perfect! Thanks, I was editing the wrong bind config file. Now all errors are gone.

Now I only have warnings. I will google this when I have time to see what I can figure out. I would bet it has something to do with me changing IP's on the server. 

Code:
21-Oct-2018 03:27:01.992 security: warning: using built-in DLV key for view _default
21-Oct-2018 04:03:19.561 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 05:03:21.977 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 11:03:29.614 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
21-Oct-2018 17:03:42.632 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
23-Oct-2018 03:04:10.389 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
23-Oct-2018 05:04:15.579 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
24-Oct-2018 22:05:02.886 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
25-Oct-2018 05:05:08.553 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
25-Oct-2018 06:05:11.034 general: warning: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL

I am only guessing here but you may have a domain set up with DNSSEC that doesn't have the required keys registered at the registry, or you may need to update another of the config settings in your config file to update an outdated URL? Like I said, I am only guessing and I do not currently implement DNSSEC but if you find out any more about this can you post an update here for future reference?

Thanks, Keith.

EDIT: There's a reference in the named.conf file to this file:


Code:
/etc/named.iscdlv.key


If you look in there, that URL (dlv.isc.org) is referenced along with this warning:


Code:
NOTE: The ISC DLV zone is being phased out as of February 2017


so I guess it's something that needs updating or disabling.

I'll let you investigate this one and report back!

Keith
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
DNS does not work Bind problem... Greval 17 33 ,475 07-04-2019, 01:50 AM
Last Post: fearworks
DNS loaded with errors sathish2009 3 8 ,577 11-19-2017, 02:37 AM
Last Post: TGates
DNS not working - need bind restart dragosxps 1 6 ,058 04-22-2017, 05:25 PM
Last Post: Ron-e

Forum Jump:


Users browsing this thread: 1 Guest(s)