Skip to content

Difficult to monitor BIND with stork-agent

Stork-agent is not able to make use of the simple rndc.key found in the bind configuration directory. It complains there is no control clause as shown:

May  3 14:31:06 dynamic-192-168-20-20 stork-agent[8367]: time="2023-05-03 14:31:06" level="info" msg="Found BIND 9 config file in /etc/bind/named.conf based on output of `named -V`." file="            bind9.go:485  "
May  3 14:31:06 dynamic-192-168-20-20 stork-agent[8367]: time="2023-05-03 14:31:06" level="warning" msg="Cannot determine BIND 9 rndc details: cannot determine rndc key" file="            bind9.go:561  "

Perhaps this is as intended. However, if you then configure rndc.conf and bind correctly using rndc-confgen, it still does not work as it uses an incorrect format for executing rndc as shown:

May  3 14:51:09 dynamic-192-168-20-20 stork-agent[9178]: time="2023-05-03 14:51:09" level="debug" msg="Rndc: [/usr/sbin/rndc -s 127.0.0.1 -p 953 -y hmac-sha256:iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM= status]" file="            bind9.go:125  "
May  3 14:51:09 dynamic-192-168-20-20 stork-agent[9178]: time="2023-05-03 14:51:09" level="error" msg="Failed to forward commands to rndc: exit status 1" file="            agent.go:244  " Address="127.0.0.1" Port="953"

The rndc command is being executed like so: rndc -s 127.0.0.1 -p 953 -y hmac-sha256:iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM= status

This produces errors if run from the command line as shown:

$ rndc -s 127.0.0.1 -p 953 -y hmac-sha256:iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM= status
rndc: no key definition for name hmac-sha256:iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM=

Proper syntax is as follows: rndc -s 127.0.0.1 -p 953 -y rndc-key status. Relevant configuration shown below:

excerpt of named.conf:

key "rndc-key" {
       algorithm hmac-sha256;
       secret "iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM=";
};

controls {
       inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

rndc.conf:

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-sha256;
        secret "iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM=";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

Alternatively, the rndc.conf file could be specified on the command line: rndc -c /etc/bind/rndc.conf status which would allow you to remove the ip and port specification from the command line as it is in the conf file.

A third option, to obviate the need for the administrator to create an rndc.conf file, would be to look for rndc.key if no rndc.conf or controls clause (in named.conf) was found. An rndc.key file can be specified as follows: rndc -k /etc/bind/rndc.key status. If a rndc.key file exists in the directory with named.conf (can be generated with rndc-confgen -a if it was removed) and no controls clause exists in named.conf, then named will allow connections locally using the key in that key file. Many administrators use rndc this way, so something to consider.

The only way to get bind monitoring working at the moment is to setup rndc.conf this way:

#key "rndc-key" {
key "hmac-sha256:iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM=" {
	algorithm hmac-sha256;
	secret "iCQvHPqq43AvFK/xRHaKrUiq4GPaFyBpvt/GwKSvKwM=";
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};

which, I assume, means that if the -y is specified on the command line that rndc is ignoring the options section with the defaults defined.

RT22012