Home / server / Questions / 221250
Accepted
Josh
Asked: 2011-01-12 11:58:40 +0800 CST

Fixing BIND9 rndc error "connection to remote host closed"

  • 772

I just made some changes to a DNS zone in Webmin and clicked the "Apply Changes" button. I received the error message:

rndc: connection to remote host closed This may indicate that the remote server is using an older version of the command protocol, this host is not authorized to connect, or the key is invalid

How can I troubleshoot / repair this? I copied parts of the BIND config from a failing server, so I suspect that's what causing it...

bind troubleshooting rndc

5 Answers

  1. Best Answer

    With a little help from @plluksie, I solved this on my own. Here's what I did:

    1. First I ran rndc-confgen -a to regenerate my rndc key and conf file.
    2. Next, I verified that the contents of /etc/rndc.key were the same as /var/named/chroot/etc/rndc.key. They were (/etc/rndc.key was a symlink to /var/named/chroot//etc/rndc.key on my system)
    3. Then I edited /etc/rndc.key and copied the new key. I pasted that key into /etc/rndc.conf and /var/named/chroot/etc/rndc.conf
    4. The i restarted BIND via /etc/init.d/named restart and tested using: rndc reload some.zome.

    These steps solved the issue for me.

    • 9

  2. Ensure that file /etc/rndc.conf exists and have 

    key somekey {
         algorithm hmac-md5;
         secret "somesecret";
     };

    and also there is proper section in /etc/named.conf :

    key "somename" {
     algorithm hmac-md5;
     secret "somesecret";
};

controls {
     inet * port someport allow {"somegroup";} keys {"somename";};
};

    Do not forget to read named.conf(5) and rndc.conf(5)

    If it will not help, do what is described in the error message: check named and rndc versions (should be the same)

    • 5

  3. Do you change the keys ? If you don't stop the service before doing it, the key recorded in server daemon is the old, and rndc always use the new. Then thes keys are differents, so rejected by bind. You must kill the daemon, and restart it. The key is re-read at the configuration reading and use.

    • 0

  4. I had the same error, but it was because my algorithm type was different in named.conf. Once I verified that everything in the three files was hmac-sha256, applying the zone worked without error.

    • 0

  5. I had this issue on my machine running Ubuntu 20.04 and I solved it by changing the line algorithm hmac-sha256; to algorithm hmac-md5; in rncd.conf.

    This line is expected to be same in both named.conf and rndc.conf yet I had differing hashing in the above files as follows:

    named.conf:

    key "somename" {
     algorithm hmac-md5;
     secret "somesecret";
};

    rndc.conf:

    key "somename" {
     algorithm hmac-sha256;
     secret "somesecret";
};

    Changing it to algorithm hmac-md5; in rndc.conf worked for me with no errors.

    • 0