BIND 9 rndc hints (was: [rescue] Tricking DNS)

Loomis, Rip rescue at sunhelp.org
Mon Oct 22 13:21:34 CDT 2001 

Crap.  Two errors that I should have caught (and that
are apparently fixed in the version of the cookbook
that the folks doing most of the hands-on stuff are
now using, while I go off and the policy and management
crap):
1.  You have to define a key before you can reference
	it.  Make sure the "key" stanza is *before*
	the "controls" stanza.
2.  The "controls" stanza was missing a semicolon at the
	end of the line, and was missing an underscore in
	rndc_key (I think that you already caught the
	latter problem).  It should have read

  controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
  };

As long as I point those two things out, there's a third
note:
3.  If you're going to include the shared secret key in
	named.conf, and there are non-trusted users on
	the local system, make sure named.conf has restricted
	permissions.  Alternatively, you can put the key
	string in a separate file and $INCLUDE it.

Bill, let me know if this works for you now.

--
Rip Loomis
Senior Systems Security Engineer
SAIC Center for Information Security Technology 
 
> -----Original Message-----
> From: Bill Bradford [mailto:mrbill at mrbill.net]
> Sent: Monday, 22 October, 2001 12:16
> To: rescue at sunhelp.org
> Subject: Re: BIND 9 rndc hints (was: [rescue] Tricking DNS)
> 
> 
> On Mon, Oct 22, 2001 at 12:59:35PM -0400, Loomis, Rip wrote:
> > 3.1	Create a configuration file for rndc to hold the required,
> > shared secret key.  The default location for the rndc configuration
> > file is /etc/rndc.conf (or /usr/local/etc/rndc.conf depending
> > on the options passed to configure)
[[SNIP]]
> > 3.2	Modify the named.conf file to use the shared secret key, by
> > adding a new "control" directive.
> >   controls {
> >     inet 127.0.0.1 allow { localhost; } keys { rndc key; }
> >   };
> >   key rndc_key {
> >     algorithm "hmac-md5";
> >     secret 
> "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9y          
> >         IGEgd29tYW4K";
> >   };
> 
> Tried this.  Didnt work.  Here's /var/adm/messages:
> 
> Oct 22 12:12:37 ohno.mrbill.net /usr/local/sbin/named[1732]: 
> [ID 866145 daemon.notice] starting BIND 9.1.3
> Oct 22 12:12:37 ohno.mrbill.net /usr/local/sbin/named[1732]: 
> [ID 866145 daemon.error] /etc/named.conf:8: parse error near }
> Oct 22 12:12:37 ohno.mrbill.net /usr/local/sbin/named[1732]: 
> [ID 866145 daemon.crit] loading configuration: failure
> Oct 22 12:12:37 ohno.mrbill.net /usr/local/sbin/named[1732]: 
> [ID 866145 daemon.crit] exiting (due to fatal error)
> 
> Here's the relevant section of my /etc/named.conf:
> 
> options { 
>         directory "/var/named"; 
>         auth-nxdomain yes; 
> };
> 
> COntrols {                                                    
>                 
>         inet 127.0.0.1 allow { localhost; } keys { rndc_key; }
> };                                                            
>

More information about the rescue mailing list