Ispconfig time fo update Bind

Discussion in 'ISPConfig 3 Priority Support' started by albertf, Oct 3, 2019.

  1. albertf

    albertf Member HowtoForge Supporter

    If I change or add something in IspConfig -> DNS -> Domain.com ->Records ->
    How many time Bind need to be updated ?
    After more than 10 minutes, nano /etc/bind/pri.domain.com still have the TXT field not updated
    thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Max 60 seconds. Check if there is a file with .err ending for this domain in the bind folder, this means that bind rejected your changes, you can then use named-checkzone command to get a more detailed error message in case you don't know what you did wrong.
     
  3. albertf

    albertf Member HowtoForge Supporter

    Great, so the problem is on my side
    Code:
    [email protected]:~# named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    Return
    Code:
    dns_master_load: /etc/bind/pri.domain-name.com:31: Kdomain-name.com.+007+08055.key: file not found
    dns_master_load: /etc/bind/pri.domain-name.com:33: Kdomain-name.com.+007+24209.key: file not found
    zone domain-name.com/IN: loading from master file /etc/bind/pri.domain-name.com failed: file not found
    zone domain-name.com/IN: not loaded due to errors.
    If I change manually in this file: /etc/bind/pri.domain-name.com
    Code:
    $INCLUDE Kdomain-name.com.+007+08055.key
    $INCLUDE Kdomain-name.com.+007+24209.key
    and add manually /etc/bind/
    Code:
    $INCLUDE /etc/bind/Kdomain-name.com.+007+08055.key
    $INCLUDE /etc/bind/Kdomain-name.com.+007+24209.key
    I get
    Code:
    [email protected]:~# named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    zone domain-name.com/IN: loaded serial 2019100310
    OK
    [email protected]:~#
    But that's not the right way to do ?
    How to do not get this error and do not add manually /etc/bind/ ?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    That's probably related to the other wrong tutorial that you followed before for DNSSEC. I explained there that it's likely that operations will fail for DNS if not everything is properly reversed. The issue you had there occurred on page 4 of the guide, so you must undo all steps on page 1 - 3 that you did before to fix your system.
     
  5. albertf

    albertf Member HowtoForge Supporter

    Please sure that I have done nothing more in this tutorial than this below, That's the first step in this page 4 and only one step has been done in page 4, and absolutly nothing with the page 1, 2 , 3 :
    Code:
    rollinit -zonefile /etc/bind/pri.example.org.signed -keyrec /etc/bind/example.org.krf -admin [email protected] example.org >> all.rollrec
    And I get this
    Code:
    -bash: rollinit: command not found
    Do you mean only this step broken all my conf ?
    I cannot reversed something not done..
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    If you did not follow the guide and just run this non-existing command, then there should be no problem. The key files get included automatically, I just tested it here in ISPConfig 3.1.15. So the question is why they can't be included in your case.

    Is there a file:

    /etc/bind/pri.domain-name.com.err

    on your server? Is there still a blinking red dot in the ISPConfig UI which indicates that there are pending changes?
     
  7. albertf

    albertf Member HowtoForge Supporter

    nano /etc/bind/pri.domain-name.com.err give an empty file
    Code:
    /etc/bind/pri.domain-name.com
    give me
    Code:
    $TTL        3600
    @       IN      SOA     ns1.domain-name.com. vps123.myvps.com. (
                            2019100414       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            3600 )            ; minimum, seconds
    ;
    
    domain-name.com. 3600 A        12.13.456.78
    mail.domain-name.com. 3600 A        12.13.456.78
    ns1.domain-name.com. 3600 A        12.13.456.78
    ns2.domain-name.com. 3600 A        10.11.123.456
    ftp.domain-name.com. 3600      CNAME        domain-name.com.
    www.domain-name.com. 3600      CNAME        domain-name.com.
    domain-name.com. 3600      CAA       0 issue "letsencrypt.org"
    domain-name.com. 3600      MX    10   mail.domain-name.com.
    domain-name.com. 3600      NS        ns1.domain-name.com.
    domain-name.com. 3600      NS        ns2.domain-name.com.
    78.456.13.12.in-addr.arpa. 3600      PTR        domain-name.com.
    78.456.13.12.in-addr.arpa. 3600      PTR        mail.domain-name.com.
    ns1.domain-name.com. 3600      PTR        12.13.456.78
    ns2.domain-name.com. 3600      PTR        10.11.123.456
    domain-name.com. 3600      TXT        "v=spf1 mx a ip4:12.13.456.78/32 a:mail.domain-name.com -all"
    default._domainkey.domain-name.com. 3600      TXT        "v=DKIM1; t=s; p=MIIBIjBNBgkqhkiG9w0BAQEFBBOCAQ8AMIIBCgKCAQEArwOGvmWFTtVgkMpiD3WDoLbnb2HyTyGmRcru45OcUs2kRZFiFmnt3RqIk68fpNFQ8EFiqT7UWNffcjXrmQAD1PxiM5ElPAL6975OWZ12sHTH4nstgV7xPu9UTX9xdNBo9+IuSyUjvUs21Wrc0tssG64ZkOuRa6jxW4lpTsrcT9Y2j2L2tk85nBdGeuy9fs3FNnI" "hQIDIsD2tEVEHt9LeFWekfjE1/aPhTtsgxOhmiaqOVkJ0SFzkiXbuNhrqsvGnSUj2U/tnN4jKUbL/kHES4iKZBiohsbWLvUuFokV0BZWMS9tElSrsRaxtIwT+gVa64BOaqO9d4UrTNbX23x09MQIDAQAB"
    ownercheck.domain-name.com. 3600      TXT        "fd3e5411"
    _dmarc.domain-name.com. 3600      TXT        "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:1:d:s; adkim=s; aspf=s; rf=afrf:iodef; sp=reject"
    
    $INCLUDE Kdomain-name.com.+007+08055.key
    
    $INCLUDE Kdomain-name.com.+007+24209.key
    No following your previous instruction, I am always waiting 60 seconds, means 2 minutes to be sure...
    Maybe when we setup the Dns with IspConfig evething is ok, later when we change something with in the Dns Zone with Ispconfig, etc/bind/ disappears. I don't know...
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that no error was reported by BIND, so it's ok that this file does not exist.
     
  9. albertf

    albertf Member HowtoForge Supporter

    Yes I agree
    But
    Code:
    named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    Report errors even if /etc/bind/pri.domain-name.com is existing
    Code:
    named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    dns_master_load: /etc/bind/pri.domain-name.com:31: Kdomain-name.com.+007+08055.key: file not found
    dns_master_load: /etc/bind/pri.domain-name.com:33: Kdomain-name.com.+007+24209.key: file not found
    zone domain-name.com/IN: loading from master file /etc/bind/pri.domain-name.com failed: file not found
    zone domain-name.com/IN: not loaded due to errors.
    
    To do not get this error I must add manually /etc/bind/
    Code:
    named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    dns_master_load: /etc/bind/pri.domain-name.com:31: Kdomain-name.com.+007+08055.key: file not found
    dns_master_load: /etc/bind/pri.domain-name.com:33: Kdomain-name.com.+007+24209.key: file not found
    zone domain-name.com/IN: loading from master file /etc/bind/pri.domain-name.com failed: file not found
    zone domain-name.com/IN: not loaded due to errors.
    $INCLUDE /etc/bind/Kdomain-name.com.+007+08055.key
    $INCLUDE /etc/bind/Kdomain-name.com.+007+24209.key
    I get
    Code:
    [email protected]:~# named-checkzone domain-name.com /etc/bind/pri.domain-name.com
    zone domain-name.com/IN: loaded serial 2019100310
    OK
    [email protected]:~#
     
    Last edited: Oct 4, 2019
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Add the include lines for the keys manually for now, I don't know why they could not be added in your case as it works flawlessly here on Debian 10. It might also be that something is missing on your setup in case you left other things out from perfect server guide during install, at least it seems that you have left out fail2ban according to your other thread, so maybe you missed installing other packages from perfect server guide as well? or is the server with fail2ban a different, non-ispconfig, system?
     
  11. albertf

    albertf Member HowtoForge Supporter

    Ok I will, that's not a big problem
    No, this thread is just asking for a specific rules with advanced users, it mean I'm using Fail2ban...I think this better to ask than applied some specific rules without enough knowledge.
    I can confirm that I have followed perfectly this tutorial: The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1 and installed everything as recommanded, even mailman and I don't need it.
    But it's ok for me, I can add /etc/bind/ manually, I just wanted to be sure to do not broken anything in the Ispconfig if I am doing this.
     

Share This Page