Nach hinzufügen eines DNS Eintrages, scheint bind nicht neu gestartet zu werden

[swoop]

Ich bin sicher, dass die Ursache des Problems bei KeyHelp liegt
Nein? ich denke das Problem ist im Zusammenhang mit KeyHelp und bind


Server-Betriebssystem + Version
Debian 11.5 Bullseye


Eingesetzte Server-Virtualisierung-Technologie
Proxmox 7.2-11


KeyHelp-Version + Build-Nummer
22.2 Build 2838

Problembeschreibung / Fehlermeldungen
Wenn ich bei einer Domain einen DNS Eintrag hinzufüge und speichere, ist der neue Domaineintag nicht verfügbar.
Es wird zwar die Meldung angezeigt:

Code: Select all

Die DNS-Einstellungen wurden erfolgreich aktualisiert.

Aber erst nachdem ich bind händisch neu gestartet habe, ist die Subdomain verfügbar.

Erwartetes Ergebnis
nachdem auf speichern geklickt wird, sollte der bind automatisch neu gestartet werden, damit die neue Subdomain verfügbar ist.

Tatsächliches Ergebnis
Nachdem auf speichern geklickt wird, steht die Subdomain nicht in der Zonendatei nicht drin.

Schritte zur Reproduktion
1. DNS-Zonen-Editor
2. gewünschte Zone auswählen
3. Record hinzufügen
4. zB host: test | Typ: cname | andererhost.domain.tld.
5. Speichern

Zusätzliche Informationen
es scheint dass bind neu gestartet wird, aber irgendetwas passt noch nicht ganz.

Code: Select all

Sep 15 21:40:02 isp named[30288]: reloading configuration succeeded
Sep 15 21:40:02 isp named[30288]: reloading zones succeeded
Sep 15 21:40:02 isp rndc[1760837]: server reload successful
Sep 15 21:40:02 isp systemd[1]: Reloaded BIND Domain Name Server.
Sep 15 21:40:02 isp named[30288]: all zones loaded
Sep 15 21:40:02 isp named[30288]: running
Sep 15 21:40:02 isp named[30288]: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys

Kann mir bitte jemand den richtigen Weg weisen?
Die Installation von KeyHelp lieft, damals vor ca. einem Jahr, einwandfrei. Kurz nachdem ich von meinem alten iMSCP migriert hatte, habe ich einen Reverse Proxy eingerichtet, der nun per DNS-Challenge die Zertifikate erstellt. Das funtkioniert sehr gut.
Aber seit beginn, habe ich das Problem, dass die Zonen erst dann richtig funktionieren, wenn ich bind händisch neustarte.
Bisher habe ich mich damit beholfen, dass ich OliveTin installiert habe und den Neustart darüber mache. Aber inzwischen nervt es nur noch.

Für Hilfe wäre ich sehr dankbar.

[Florian]

Hallo,

also ich habe es mal mit einem baugleiche Server getestet. Die Änderungen an DNS Zonen werden dort problemlos übernommen.

Im Log sollten auch diese Zeilen bei einem Reload auftauchen:

Code: Select all

Sep 16 11:13:01 server named[505]: zone domain.de/IN: loaded serial 2022091603
Sep 16 11:13:01 server named[505]: zone domain.de/IN: sending notifies (serial 2022091603)

Ggf mal das Zonefile beobachten wenn eine Änderung im Keyhelp gemacht wurde. Ich kann mir allerdings nicht vorstellen, dass die Änderungen nichts ins Zonefile übertragen werden, ansonsten würde auch ein Restart vom Bind nichts bringen.

[swoop]

Hallo florian,

danke für deine Antwort.
Stimmt, die Zonendatei wird bearbeitet, aber dennoch. Was kann der Grund sein, dass bind nicht korrekt/vollständig neu gerstartet wird?

Dies sehe ich, nachdem ich die Zone im KeyHelp bearbeitet habe, im Log.

Code: Select all

Sep 16 12:53:01 isp CRON[2176017]: (root) CMD (nice -n 5 php /home/keyhelp/www/keyhelp/cronjob/mastercronjob.php)
Sep 16 12:53:02 isp systemd[1]: Reloading BIND Domain Name Server.
Sep 16 12:53:02 isp named[1768603]: received control channel command 'reload'
Sep 16 12:53:02 isp named[1768603]: loading configuration from '/etc/bind/named.conf'
Sep 16 12:53:02 isp named[1768603]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Sep 16 12:53:02 isp named[1768603]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Sep 16 12:53:02 isp named[1768603]: using default UDP/IPv4 port range: [32768, 60999]
Sep 16 12:53:02 isp named[1768603]: using default UDP/IPv6 port range: [32768, 60999]
Sep 16 12:53:02 isp named[1768603]: sizing zone task pool based on 35 zones
Sep 16 12:53:02 isp named[1768603]: zone 'isp.domain.tld' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone 'localhost' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone '127.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone '0.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone '255.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
:
:da kommen meine ganzen Domains
:
Sep 16 12:53:02 isp named[1768603]: none:89: 'max-cache-size 90%' - setting to 5346MB (out of 5940MB)
Sep 16 12:53:02 isp named[1768603]: obtaining root key for view _default from '/etc/bind/bind.keys'
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: 10.IN-ADDR.ARPA
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: 16.172.IN-ADDR.ARPA
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: 17.172.IN-ADDR.ARPA
:
:da kommen noch weitere automatic zonen
:
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: EMPTY.AS112.ARPA
Sep 16 12:53:02 isp named[1768603]: automatic empty zone: HOME.ARPA
Sep 16 12:53:02 isp named[1768603]: zone 'version.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone 'hostname.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone 'authors.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: zone 'id.server' allows unsigned updates from remote hosts, which is insecure
Sep 16 12:53:02 isp named[1768603]: configuring command channel from '/etc/bind/rndc.key'
Sep 16 12:53:02 isp named[1768603]: configuring command channel from '/etc/bind/rndc.key'
Sep 16 12:53:02 isp named[1768603]: reloading configuration succeeded
Sep 16 12:53:02 isp named[1768603]: reloading zones succeeded
Sep 16 12:53:02 isp rndc[2176133]: server reload successful
Sep 16 12:53:02 isp systemd[1]: Reloaded BIND Domain Name Server.
Sep 16 12:53:02 isp named[1768603]: all zones loaded
Sep 16 12:53:02 isp named[1768603]: running
Sep 16 12:53:02 isp named[1768603]: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys

Da steht "server reloaded successful", aber tun tut er's nicht.
Dann starte ich den bind neu und alles ist ok.

Das Log schaut jetzt aber etwas anders aus:

Code: Select all

Sep 16 14:04:22 isp systemd[1]: Stopping BIND Domain Name Server...
Sep 16 14:04:22 isp named[1768603]: received control channel command 'stop'
Sep 16 14:04:22 isp named[1768603]: no longer listening on 127.0.0.1#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on 192.168.251.91#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on 213.163.226.97#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on 213.163.226.98#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on ::1#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on 2a05:1142:1001:30::91#53
Sep 16 14:04:22 isp named[1768603]: no longer listening on fe80::188e:5aff:fe07:dea0%2#53
Sep 16 14:04:22 isp named[1768603]: shutting down: flushing changes
Sep 16 14:04:22 isp named[1768603]: stopping command channel on 127.0.0.1#953
Sep 16 14:04:22 isp named[1768603]: stopping command channel on ::1#953
Sep 16 14:04:22 isp named[1768603]: exiting
Sep 16 14:04:22 isp systemd[1]: named.service: Succeeded.
Sep 16 14:04:22 isp systemd[1]: Stopped BIND Domain Name Server.
Sep 16 14:04:22 isp systemd[1]: named.service: Consumed 8.411s CPU time.
Sep 16 14:04:22 isp systemd[1]: Started BIND Domain Name Server.
Sep 16 14:04:22 isp named[2208340]: starting BIND 9.16.27-Debian (Extended Support Version) <id:96094c5>
Sep 16 14:04:22 isp named[2208340]: running on Linux x86_64 5.10.0-11-amd64 #1 SMP Debian 5.10.92-2 (2022-02-28)
Sep 16 14:04:22 isp named[2208340]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-wQCDJA/bind9-9.16.27=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Sep 16 14:04:22 isp named[2208340]: running as: named -f -u bind
Sep 16 14:04:22 isp named[2208340]: compiled by GCC 10.2.1 20210110
Sep 16 14:04:22 isp named[2208340]: compiled with OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
Sep 16 14:04:22 isp named[2208340]: linked to OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022
Sep 16 14:04:22 isp named[2208340]: compiled with libxml2 version: 2.9.10
Sep 16 14:04:22 isp named[2208340]: linked to libxml2 version: 20910
Sep 16 14:04:22 isp named[2208340]: compiled with json-c version: 0.15
Sep 16 14:04:22 isp named[2208340]: linked to json-c version: 0.15
Sep 16 14:04:22 isp named[2208340]: compiled with zlib version: 1.2.11
Sep 16 14:04:22 isp named[2208340]: linked to zlib version: 1.2.11
Sep 16 14:04:22 isp named[2208340]: ----------------------------------------------------
Sep 16 14:04:22 isp named[2208340]: BIND 9 is maintained by Internet Systems Consortium,
Sep 16 14:04:22 isp named[2208340]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 16 14:04:22 isp named[2208340]: corporation.  Support and training for BIND 9 are
Sep 16 14:04:22 isp named[2208340]: available at https://www.isc.org/support
Sep 16 14:04:22 isp named[2208340]: ----------------------------------------------------
Sep 16 14:04:22 isp named[2208340]: adjusted limit on open files from 524288 to 1048576
Sep 16 14:04:22 isp named[2208340]: found 4 CPUs, using 4 worker threads
Sep 16 14:04:22 isp named[2208340]: using 4 UDP listeners per interface
Sep 16 14:04:22 isp named[2208340]: using up to 21000 sockets
Sep 16 14:04:22 isp named[2208340]: loading configuration from '/etc/bind/named.conf'
Sep 16 14:04:22 isp named[2208340]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Sep 16 14:04:22 isp named[2208340]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Sep 16 14:04:22 isp named[2208340]: using default UDP/IPv4 port range: [32768, 60999]
Sep 16 14:04:22 isp named[2208340]: using default UDP/IPv6 port range: [32768, 60999]
Sep 16 14:04:22 isp named[2208340]: listening on IPv4 interface lo, 127.0.0.1#53
:
Sep 16 14:04:22 isp named[2208340]: IPv6 socket API is incomplete; explicitly binding to each IPv6 address separately
Sep 16 14:04:22 isp named[2208340]: listening on IPv6 interface lo, ::1#53
:
Sep 16 14:04:22 isp named[2208340]: generating session key for dynamic DNS
Sep 16 14:04:22 isp named[2208340]: sizing zone task pool based on 35 zones
Sep 16 14:04:22 isp named[2208340]: zone 'isp.domain.tld' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone 'localhost' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone '127.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone '0.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone '255.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
:
:da kommen alle meine Domains
:
Sep 16 14:04:22 isp named[2208340]: none:89: 'max-cache-size 90%' - setting to 5346MB (out of 5940MB)
Sep 16 14:04:22 isp named[2208340]: obtaining root key for view _default from '/etc/bind/bind.keys'
Sep 16 14:04:22 isp named[2208340]: set up managed keys zone for view _default, file 'managed-keys.bind'
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 10.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 16.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 17.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 18.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 19.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 20.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 21.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 22.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 23.172.IN-ADDR.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 24.172.IN-ADDR.ARPA
:
:weitere automatic zonen
:
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: B.E.F.IP6.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: EMPTY.AS112.ARPA
Sep 16 14:04:22 isp named[2208340]: automatic empty zone: HOME.ARPA
Sep 16 14:04:22 isp named[2208340]: zone 'version.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone 'hostname.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone 'authors.bind' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: zone 'id.server' allows unsigned updates from remote hosts, which is insecure
Sep 16 14:04:22 isp named[2208340]: configuring command channel from '/etc/bind/rndc.key'
Sep 16 14:04:22 isp named[2208340]: command channel listening on 127.0.0.1#953
Sep 16 14:04:22 isp named[2208340]: configuring command channel from '/etc/bind/rndc.key'
Sep 16 14:04:22 isp named[2208340]: command channel listening on ::1#953
Sep 16 14:04:22 isp named[2208340]: managed-keys-zone: loaded serial 14
Sep 16 14:04:22 isp named[2208340]: zone isp.domain.tld/IN: loaded serial 2021120802
:
: da kommen wieder alle meine Domains
:
Sep 16 14:04:22 isp named[2208340]: all zones loaded
Sep 16 14:04:22 isp named[2208340]: running
:
:
:
Sep 16 14:04:22 isp named[2208340]: zone domain.tld/IN: sending notifies (serial 2022022116)
Sep 16 14:04:22 isp named[2208340]: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:500:2f::f#53
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:500:9f::42#53
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:500:2d::d#53
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:dc3::35#53
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:500:12::d0d#53
Sep 16 14:04:23 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:23 isp named[2208340]: no valid RRSIG resolving './NS/IN': 2001:500:200::b#53
:
:
:
Sep 16 14:04:26 isp named[2208340]: no valid RRSIG resolving './NS/IN': 198.41.0.4#53
Sep 16 14:04:26 isp named[2208340]: validating ./NS: no valid signature found
Sep 16 14:04:26 isp named[2208340]: no valid RRSIG resolving './NS/IN': 192.58.128.30#53
Sep 16 14:04:26 isp named[2208340]: resolver priming query complete

hast du mir einen Tipp wo ich weiterforschen könnte?

thx

[Florian]

Hallo,

das ist so schwer zu beurteilen. Du kannst mir gern mal die Zugangsdaten per PM schicken und die Domain um die es geht, dann schaue ich mal. Versprechen kann ich aber nichts.