[SOLVED] Bind 9.11_1 in PfSense 2.3.3 Problems for generate RNDC-KEY



  • If you do not generate the RNDC key
    I get the following result in SSH

    
    [2.3.3-RELEASE][root@ns.vnet]/root: rndc status
    rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found
    [2.3.3-RELEASE][root@ns.vnet]/root: 
    
    

    I generated the key using the following command

    'rndc-confgen -a' to generate the proper conf file, with a new   *
    *            random key, and appropriate file permissions. 
    

    As described here

    
    **********************************************************************
    *            _  _____ _____ _____ _   _ _____ ___ ___  _   _         *
    *           / \|_   _|_   _| ____| \ | |_   _|_ _/ _ \| \ | |        *
    *          / _ \ | |   | | |  _| |  \| | | |  | | | | |  \| |        *
    *         / ___ \| |   | | | |___| |\  | | |  | | |_| | |\  |        *
    *        /_/   \_\_|   |_| |_____|_| \_| |_| |___\___/|_| \_|        *
    *                                                                    *
    *   BIND requires configuration of rndc, including a "secret" key.   *
    *    The easiest, and most secure way to configure rndc is to run    *
    *   'rndc-confgen -a' to generate the proper conf file, with a new   *
    *            random key, and appropriate file permissions.           *
    *                                                                    *
    *     The /usr/local/etc/rc.d/named script will do that for you.     *
    *                                                                    *
    **********************************************************************
    
    

    Follows the command output at the terminal

    
    [2.3.3-RELEASE][root@ns.vnet]/root: rndc-confgen -a
    wrote key file "/usr/local/etc/namedb/rndc.key"
    [2.3.3-RELEASE][root@ns.vnet]/root: 
    
    

    I tested the connection with the RNDC Status command

    
    [2.3.3-RELEASE][root@ns.vnet]/root: rndc status
    rndc: connection to remote host closed
    This may indicate that
    * the remote server is using an older version of the command protocol,
    * this host is not authorized to connect,
    * the clocks are not synchronized,
    * the key signing algorithm is incorrect, or
    * the key is invalid.
    [2.3.3-RELEASE][root@ns.vnet]/root: 
    
    

    At this point I know I need to just put the key generated by rndc-confgen -a in the named.conf file
    And here is the big problem
    I have two named.conf files
    One is in chroot And should not be edited, look

    And another named.conf in /usr/local/etc/namedb/named.conf look this original file in http://txt.do/d138n

    I do not know where to enter rndc-key

    UPDATE*

    I was looking at the named file
    Which is in
    /usr/local/etc/rc.d/named
    I saw that there is a line talking about rndc

    
    	# Create an rndc.key file for the user if none exists
    	#
    	confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \
    	    -c ${_named_confdir}/rndc.key"
    	if [ -s "${_named_confdir}/rndc.conf" ]; then
    		unset confgen_command
    	fi
    	if [ -s "${_named_confdir}/rndc.key" ]; then
    		case `stat -f%Su ${_named_confdir}/rndc.key` in
    		root|${named_uid}) ;;
    		*) ${confgen_command} ;;
    		esac
    	else
    		${confgen_command}
    	fi
    
    

    I also noticed that even deleting the named.conf and rndc.conf files from the / cf / directory which is the bind chroot
    They are recreated again, but the rndc key is not the same as that generated with rndc-confgen -a
    So rdnc can not connect and so the above errors
    In this script would it be possible for me to tell him where he should get the rndc.conf files and the key?
    Sorry for my ignorance, but really I am not aware enough for this change.
    And I appreciate all the help



  • This script that starts bind http://pasted.co/3bc490e3
        I would like it not to replace the rndc.conf and rndc.key files
        But I do not know how to do it, would it be possible to help in this matter?
        I just need it


  • Banned

    There is a GUI for BIND. Using BIND in a way you are attempting to do is completely unsupported.



  • thanks for the feedback
    But already solved

    Next step
    Do nsupdate update an A zone
    Or make the RFC2136 work in my PfSense 2.3.3


Log in to reply