Symptoms
-
Some DNS records are not propagated automatically. Manual DNS service restart resolves this issue.
-
Unable to reload the DNS service:
# service bind9 reload
Job for bind9.service failed because the control process exited with error code. See "systemctl status bind9.service" and "journalctl -xe" for details.
-
The next rows appear in the
/var/log/syslogor/var/log/messagesfiles in an attempt to reload the DNS service:systemd[1]: Reloading BIND Domain Name Server.
named[24013]: invalid command from 127.0.0.1#41838: bad auth
rndc[24290]: rndc: connection to remote host closed
rndc[24290]: This may indicate that
rndc[24290]: * the remote server is using an older version of the command protocol,
rndc[24290]: * this host is not authorized to connect,
rndc[24290]: * the clocks are not synchronized,
rndc[24290]: * the key signing algorithm is incorrect, or
rndc[24290]: * the key is invalid.
systemd[1]: bind9.service: Control process exited, code=exited status=1
systemd[1]: Reload failed for BIND Domain Name Server. -
There are two different keys specified in the
/etc/named.confand/etc/bind/rndc.key(or/etc/rndc.key) files:# /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "CeMgS**********yv0x40Q==";
};# cat /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "aff2YA**********FRkj/g==";
};
Cause
Two different keys are in conflict with each other.
Resolution
Use the same key in both files:
-
Connect to the server via SSH.
-
Get the key from the
/etc/bind/rndc.key(or/etc/rndc.key) file and copy it.# cat /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "aff2YA**********FRkj/g==";
}; -
Open the
/etc/named.confand/or/etc/bind/rndc.conffile via any text editor and modify change the key to the correct one received from the previous step:[BEFORE]
key "rndc-key" {
algorithm hmac-md5;
secret "CeMgS**********yv0x40Q==";
};[AFTER]
key "rndc-key" {
algorithm hmac-md5;
secret "aff2YA**********FRkj/g==";
}; -
Restart the DNS service:
# service bind9 restart
OR
# service named-chroot restart