0

I set up bind9 perfectly a year ago but neglected to document exactly what I done, and now something has changed and I am struggling to fix it. The problem manifested itself first from the DHCP clients which are now unable to resolve the DHCP/NS host on the LAN.

Checking my bind config with named-checkzone gives an error: 

adam@gondolin:~$ sudo named-checkzone 192.168.0 /var/cache/bind/db.192.168.0 /var/cache/bind/db.192.168.0:2: SOA record not at top of zone (0.168.192.in-addr.arpa.192.168.0) zone 192.168.0/IN: loading from master file /var/cache/bind/db.192.168.0 failed: not at top of zone zone 192.168.0/IN: not loaded due to errors.

Of course named doesn't load the zones either.

This is the zone file: 

adam@gondolin:~$ sudo cat /var/cache/bind/db.192.168.0 $TTL 86400 0.168.192.in-addr.arpa IN SOA localdomain. root.localdomain. ( 1123 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 86400 ; minimum (1 day) ) NS gondolin.localdomain. $ORIGIN 0.168.192.in-addr.arpa. adam@gondolin:~$

and my only other zone file gives the same result:

adam@gondolin:~$ sudo cat /var/cache/bind/db.localdomain $TTL 86400 localdomain IN SOA localdomain. root.localdomain. ( 1650 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 86400 ; minimum (1 day) ) NS gondolin.localdomain. $ORIGIN localdomain. adam@gondolin:~$

This is the bind config:

adam@gondolin:~$ cat /etc/bind/named.conf.options acl goodclients { localhost; localnets; }; options { listen-on { 192.168.0.3; 127.0.0.1; }; listen-on-v6 { fe80::2a37:37ff:fe03:4225/64; ::1; #any; }; directory "/var/cache/bind"; forwarders { 208.67.220.220; 208.67.222.222; }; allow-query { goodclients; }; allow-recursion { goodclients; }; allow-transfer { goodclients; }; dnssec-enable no; #dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 }; adam@gondolin:~$

and the zones: 

adam@gondolin:~$ cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/etc/bind/rndc.key"; zone "localdomain" { type master; notify no; file "/var/cache/bind/db.localdomain"; allow-update { key "rndc-key"; }; }; zone "0.168.192.in-addr.arpa" { type master; notify no; file "/var/cache/bind/db.192.168.0"; allow-update { key "rndc-key"; }; }; adam@gondolin:~$

I'm not quite sure what other config is relevant here so I'm going to show everything I can think of. 

adam@gondolin:~$ cat /etc/hostname gondolin adam@gondolin:~$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain gondolin 127.0.1.1 gondolin 192.168.0.3 gondolin.localdomain gondolin # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters

resolv.conf could be a worry:

adam@gondolin:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 192.168.0.3 domain localdomain search localdomain adam@gondolin:~$

The systemd-resolve msg is irrelevant I assume, but doing a status shows this: 

adam@gondolin:~$ sudo systemd-resolve --status Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.

Running a simple look-up on the host:

adam@gondolin:~$ dig gondolin ; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> gondolin ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58942 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 083d35c6e1daa489584481225d74b44000978776cbc340e9 (good) ;; QUESTION SECTION: ;gondolin. IN A ;; AUTHORITY SECTION: . 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019090800 1800 900 604800 86400 ;; Query time: 7 msec ;; SERVER: 192.168.0.3#53(192.168.0.3) ;; WHEN: Sun Sep 08 08:56:48 BST 2019 ;; MSG SIZE rcvd: 140 adam@gondolin:~$
Improve this question

2 Answers 2

Reset to default
3

With this zone configuration:

zone "0.168.192.in-addr.arpa" { type master; notify no; file "/var/cache/bind/db.192.168.0";

and the beginning of the zone file like this:

$TTL 86400 0.168.192.in-addr.arpa IN SOA localdomain. root.localdomain. (

the SOA record is actually referring to a zone named 0.168.192.in-addr.arpa.0.168.192.in-addr.arpa. which is obviously not right.

Why is that, you might ask?

Because you are missing a single full stop.

In the zone file, any domain name that does not end with a full stop (.) will get the zone's $ORIGIN appended to it automatically. If you haven't explicitly specified the $ORIGIN, it's the name of the zone from the zone configuration statement... but in the configuration statement, the full stop at the end is assumed. In the zone file, it must be explicitly specified when needed.

Once you realize this, the error message should make sense: BIND expects to see a SOA record that points to the same domain name as the zone configuration line.

The first line of the SOA record should be like this (if you don't use the @):

0.168.192.in-addr.arpa. IN SOA localdomain. root.localdomain. (

The full stop at the end of 0.168.192.in-addr.arpa. is very important here.

Your localdomain zone has the same problem. It should be:

localdomain. IN SOA localdomain. root.localdomain. (
Improve this answer
0

Among loads of different webpages up there on this subject, I finally found this one which explained what and why as well as just giving a solution:

ftp://ftp.iitb.ac.in/LDP/en/DNS-HOWTO/DNS-HOWTO-5.html

My error in the config above was in the zone files, where I needed to declare the nameserver in the nameserver properly - the config above has too much unnecessary stuff. This one worked, or at least it satisfies named-checkzone:

$TTL 3D @ IN SOA gondolin.localdomain. root.gondolin.localdomain. ( 201909091 ; serial 8H ; refresh (8 hours) 2H ; retry (2 hours) 4W ; expire (4 weeks) 1D ; minimum (1 day) ) NS gondolin gondolin A 192.168.0.3
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.