Fixing BIND9 rndc error "connection to remote host closed"

Question

I just made some changes to a DNS zone in Webmin and clicked the "Apply Changes" button. I received the error message:

rndc: connection to remote host closed This may indicate that the remote server is using an older version of the command protocol, this host is not authorized to connect, or the key is invalid

How can I troubleshoot / repair this? I copied parts of the BIND config from a failing server, so I suspect that's what causing it...

For others getting this error, I could solve it with just `touch /var/cache/bind/managed-keys.bind; chown bind:bind /var/cache/bind/managed-keys.bind`. Got the solution from http://www.linuxquestions.org/questions/linux-server-73/solution-named-loading-from-master-file-managed-keys-bind-failed-file-not-found-876137/ — mivk, Jun 06 '12 at 21:00

score 11 · Accepted Answer · answered Jan 12 '11 at 14:55

With a little help from @plluksie, I solved this on my own. Here's what I did:

First I ran rndc-confgen -a to regenerate my rndc key and conf file.
Next, I verified that the contents of /etc/rndc.key were the same as /var/named/chroot/etc/rndc.key. They were (/etc/rndc.key was a symlink to /var/named/chroot//etc/rndc.key on my system)
Then I edited /etc/rndc.key and copied the new key. I pasted that key into /etc/rndc.conf and /var/named/chroot/etc/rndc.conf
The i restarted BIND via /etc/init.d/named restart and tested using: rndc reload some.zome.

These steps solved the issue for me.

score 5 · Answer 2 · answered Jan 11 '11 at 20:07

Ensure that file /etc/rndc.conf exists and have

key somekey {
         algorithm hmac-md5;
         secret "somesecret";
     };

and also there is proper section in /etc/named.conf :

key "somename" {
     algorithm hmac-md5;
     secret "somesecret";
};

controls {
     inet * port someport allow {"somegroup";} keys {"somename";};
};

Do not forget to read named.conf(5) and rndc.conf(5)

If it will not help, do what is described in the error message: check named and rndc versions (should be the same)

score 0 · Answer 3 · edited Mar 02 '21 at 10:36

0

I had the same error, but it was because my algorithm type was different in named.conf. Once I verified that everything in the three files was hmac-sha256, applying the zone worked without error.

edited Mar 02 '21 at 10:36

Andrew Schulman

8,811
21
32
47

answered Feb 27 '21 at 18:43

Travis

1

score 0 · Answer 4 · edited Feb 28 '22 at 02:17

0

I had this issue on my machine running Ubuntu 20.04 and I solved it by changing the line algorithm hmac-sha256; to algorithm hmac-md5; in rncd.conf.

This line is expected to be same in both named.conf and rndc.conf yet I had differing hashing in the above files as follows:

named.conf:

key "somename" {
     algorithm hmac-md5;
     secret "somesecret";
};

rndc.conf:

key "somename" {
     algorithm hmac-sha256;
     secret "somesecret";
};

Changing it to algorithm hmac-md5; in rndc.conf worked for me with no errors.

edited Feb 28 '22 at 02:17

Ginnungagap

2,595
10
13

answered Feb 21 '22 at 05:47

Ravi

1

I would suggest changing both to `hmac-sha256` given how weak md5 is. – Ginnungagap Feb 27 '22 at 08:43
I tried it initially, but it did not work... May be we need to change it to hmac-sha256; in some other file too... – Ravi Feb 28 '22 at 11:00

score 0 · Answer 5 · answered Jan 11 '11 at 20:49

Do you change the keys ? If you don't stop the service before doing it, the key recorded in server daemon is the old, and rndc always use the new. Then thes keys are differents, so rejected by bind. You must kill the daemon, and restart it. The key is re-read at the configuration reading and use.

Fixing BIND9 rndc error "connection to remote host closed"

5 Answers5