Skip to end of metadata
Go to start of metadata

Beginning with version 6.3.2 of Men and Mice, the DNS server Controllers check and monitor the state of the DNS servers they are managing. For BIND servers this is checked with the rndc protocol and the state command.

On some installations, the DNS Server Controller is not able to query the BIND server with the rndc protocol. This happens when there is no controls statement in the nameserver config, or the key that is used is invalid.

Before version 6.3.2, Men and Mice sent the HUP signal every time rndc could not be used. Although this happened every time a change was done on the server, the user would not notice anything as long as there was a pid file present for the named process. However, using rndc would be much more elegant and easier on the server, than restarting it with the HUP signal.

After version 6.3.2, a yellow alert triangle will appear on each BIND DNS server whose Men and Mice Server Controller is not able to use rndc. Also, when doing changes on that server, the user will get an error stating that the BIND DNS server at 127.0.0.1 is not running.

Note: In some cases, a yellow triangle could appear and the status of the DNS server could be shown as "DNS Server Down". Then the problem could be that the pid file of the process cannot be found or the configured rndc-key
in the user_before file uses an unsupported TSIG cryptographic algorithm.

Solution

There are two workarounds. Either turn off DNS Server state monitoring, or add/fix the rndc connection.
Please check also that the rndc TSIG key is supported by the M&M Suite version.

Fix the rndc connection:

1. ssh to the server and cd to the named conf directory, usually in /var/named/conf/ or /var/cache/bind/conf

2. Open the file user_after in vi or similar editor and add the controls statement if it does not exist already:

controls {
        inet 127.0.0.1  allow { any; }  keys { rndc-key; };
};

3. Check whether current rndc key works:

rndc status

If the status is not correctly displayed, generate a new rndc key by

rndc-confgen -a -r /dev/urandom

4. Copy the rndc key in /etc/rndc.key or /etc/bind/rndc.key, and add that as a key to the file user_before. e.g.

key "rndc-key" {
        algorithm hmac-md5;
        secret "Mq6DurOXnnhqZDdvT3XHbE==";
};

Please note that M&M Suite versions <= 9.2.5 don't support other TSIG algorithms than hmac-md5.
Starting with the M&M Suite version 9.2.6 other TSIG algorithms like SHA256/512 will be supported.

5. Restart named/bind9 and mmremote services

/etc/init.d/named restart
/etc/init.d/mmremote restart

To restart mmremote on Linux using System V init scripts

service mmremote restart

Or with systemd:

systemctl restart mmremote

6. Right click on the server in Men and Mice, click "Reconnect". Try to make a small change on the server, and verify that no error will appear this time.

Add the location of the "named" pid file:

It might also be that the DNS servers is reported as DNS Service down when the pid file of the named process can't be found.

In this case please check if you options file (which is located in the conf sub-directory of the BIND working directory, usually /var/named/conf)
contains a statement:

pid-file "<location of the named.pid file>";

Is the location correct (usually something like /var/run/named.pid) and is the pid file readable by the mmremoted process? If the statement is missing please add it
to the options file.

Turn off DNS Server state monitoring:

Find the preferences.cfg, usually in /var/named/mmsuite/preferences.cfg or /var/cache/bind/mmsuite/preferences.cfg (on ubuntu) and add the line:

<CheckServerStatus value="0" />

and restart the DNS Server Controller

/etc/init.d/mmremote restart
  • No labels