Debian Jessie: Bind9 problème de configuration

Support Debian
#1

Bonjour!

Je suis en train de monter un petit serveur Debian Jessie (sur un PC ivy bridge x64 avec 16GB Ram) pour l’atelier de ma compagne et du mien. Le PC fonctionne bien, je n’ai pas mis les infos lspci, lsusb et dmidecode car je ne pense pas vraiment pertinent pour mon problème… mais je peux les mettre au cas ou. Et je tombe déjà sur un petit soucis. Mais tout d’abord voici ma configuration:

uname -a

dmesg /var/log/syslog

[ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04) [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=UUID=107f6cf9-3831-4820-bb66-1b342eafefd9 ro quiet [ 0.000000] e820: BIOS-provided physical RAM map: .......................................................... ..........................................................

Qu’est-ce que je peux rajouter…
2 cartes réseaux en bonding (mode 4) configurées à l’ancienne, avec /etc/network/interfaces

[code]source /etc/network/interfaces.d/*

The loopback network interface

auto lo
iface lo inet loopback

Configuration IPv4 static

auto bond0
iface bond0 inet static
address 192.168.24.10
netmask 255.255.255.0
network 192.168.24.0
gateway 192.168.24.1
slaves eth0 eth1
# jumbo frame support
mtu 9000
# same speed and duplex settings
bond-mode 802.3ad
bond-miimon 100
bond-downdelay 200
bond-updelay 200
dns-nameservers 192.168.24.10 192.168.24.1
dns-search mondomaine.com

#IPV6 static configuration

iface bond0 inet6 static
pre-up modprobe ipv6
address 2001:470:26:4f3::2
netmask 64
gateway 2001:470:26:4f3::1
dns-nameservers 2001:470:26:4f3::2 2001:470:26:4f3::1
[/code]

Mon fichier /etc/modprobe.d/bonding.conf

alias bond0 bonding options bonding mode=4 miimon=100 downdelay=200 updelay=200 primary=eth0

ifconfig

[code]bond0 Link encap:Ethernet HWaddr 80:1f:02:ff:c8:bd
inet adr:192.168.24.10 Bcast:192.168.24.255 Masque:255.255.255.0
adr inet6: fe80::821f:2ff:feff:c8bd/64 Scope:Lien
adr inet6: 2001:470:26:4f3::2/64 Scope:Global
UP BROADCAST RUNNING MASTER MULTICAST MTU:9000 Metric:1
RX packets:1695244 errors:0 dropped:31954 overruns:0 frame:0
TX packets:29911 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:388731088 (370.7 MiB) TX bytes:3795920 (3.6 MiB)

eth0 Link encap:Ethernet HWaddr 80:1f:02:ff:c8:bd
UP BROADCAST SLAVE MULTICAST MTU:9000 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth1 Link encap:Ethernet HWaddr 80:1f:02:ff:c8:bd
UP BROADCAST RUNNING SLAVE MULTICAST MTU:9000 Metric:1
RX packets:1695244 errors:0 dropped:0 overruns:0 frame:0
TX packets:29911 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:388731088 (370.7 MiB) TX bytes:3795920 (3.6 MiB)
Interruption:17 Mémoire:f72c0000-f72e0000

eth2 Link encap:Ethernet HWaddr 66:9a:be:1a:e6:04
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4215 errors:0 dropped:0 overruns:0 frame:0
TX packets:4215 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:427395 (417.3 KiB) TX bytes:427395 (417.3 KiB)[/code]

Mon fichier hosts

[code]127.0.0.1 localhost
192.168.24.10 srv-debian.mondomaine.com srv-debian
2001:470:26:4f3::2 srv-debian.mondomaine.com srv-debian

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters[/code]

J’ai installé et configuré mon serveur DNS exactement comme indiqué (en ajoutant les paramètres IPv6) sur https://wiki.debian.org/fr/Bind9
Fichier named.conf

[code]acl internals { 127.0.0.0/8; 192.168.24.0/24; 2001:470:26:4f3::/64; };
// Charger les options
include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;
// Déclaration de la clef TSIG utilisée pour la mise à jour dynamique
include “/etc/bind/ns-mondomaine-com_rndc-key”;
// Configurer le canal de communication pour administrer BIND9 avec rndc
// Par défaut, la clef est située dans le fichier rndc.key et utilisée par
// rndc et bind9 sur localhost
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; }; inet ::1 port 953 allow { ::1; };
};
// prime the server with knowledge of the root servers
zone “.” {
type hint;
file “/etc/bind/db.root”;
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone “localhost” {
type master;
file “/etc/bind/db.local”;
};
zone “127.in-addr.arpa” {
type master;
file “/etc/bind/db.127”;
};
zone “0.in-addr.arpa” {
type master;
file “/etc/bind/db.0”;
};

zone “255.in-addr.arpa” {
type master;
file “/etc/bind/db.255”;
};

zone “3.f.4.0.6.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa” {
type master;
file “/etc/bind/db.10”;
};

include “/etc/bind/named.conf.local”;[/code]

Fichier named.conf.options

[code]options {
directory “/var/cache/bind”;

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable 
// nameservers, you probably want to use them as forwarders.  
// Uncomment the following block, and insert the addresses replacing 
// the all-0's placeholder.

forward only;
forwarders { 192.168.24.1; 2001:470:26:4f3::1; };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys.  See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { ::1; 2001:470:26:4f3::2; };
listen-on { 127.0.0.1; 192.168.24.10; };

// Ne pas transférer les informations de zones aux DNS secondaires
    allow-transfer { none; };

    // Accepter les requêtes pour le réseau interne uniquement
    allow-query { internals; };

    // Autoriser les requêtes récursives pour les hôtes locaux
    allow-recursion { internals; };

    // Ne pas rendre publique la version de BIND
    version none;

};
[/code]

Fichier named.conf.local

[code]// Gérer les fichiers de logs
include “/etc/bind/named.conf.log”;

//
// Do any local configuration here
//

// Gestion du domaine mondomaine.com
// ------------------------------
// - Le serveur est défini comme maître sur ce domaine
// - Il n’y a aucun forwarder pour ce domaine car nous avons la main mise dessus.
// Pour tous les autres domaines, nous utiliserons le forwarder mentionné dans named.conf.options
// - Les entrees sur le domaine peuvent être ajoutées dynamiquement avec le clef ns-example-com_rndc-key
zone “nounouch-couture-plus.ch” {
type master;
file “/var/lib/named/var/cache/bind/db.mondomaine.com”;
forwarders {};
allow-update { key ns-mondomaine-com_rndc-key; };
};
zone “24.168.192.in-addr.arpa” {
type master;
file “/var/lib/named/var/cache/bind/db.mondomaine.com.inv”;
forwarders {};
allow-update { key ns-mondomaine-com_rndc-key; };
};

zone “3.f.4.0.6.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa” {
type master;
file “/var/lib/named/var/cache/bind/db.mondomaine.com.inv”;
forwarders {};
allow-update { key ns-mondomaine-com_rndc-key; };
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
include “/etc/bind/zones.rfc1918”;
[/code] Ce n’est pas mentionné sur le wiki, mais modifié le chemin des fichiers db.mondomaine.com et db.mondomaine.com.inv puisque plus bas il est demandé de faire un # mv /var/cache/bind/* /var/lib/named/var/cache/bind/

Fichier named.conf.log

[code]logging {
channel update_debug {
file “/var/log/update_debug.log” versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file “/var/log/security_info.log” versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
};
channel bind_log {
file “/var/log/bind.log” versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

    category default { bind_log; };
    category lame-servers { null; };
    category update { update_debug; };
    category update-security { update_debug; };
    category security { security_info; };

};[/code]

Fichier db.mondomaine.com

[code]$TTL 3600
@ IN SOA srv-mondomaine.com. localadmin.mondomaine.com. (
2007010401 ; Serial
3600 ; Refresh [1h]
600 ; Retry [10m]
86400 ; Expire [1d]
600 ) ; Negative Cache TTL [1h]
;
@ IN NS srv-debian.mondomaine.com.
@ IN MX 10 srv-debian.mondomaine.com.

srv-debian IN A 192.168.24.10
srv-debian IN AAAA 2001:470:26:4f3::2

pop IN CNAME srv-debian
www IN CNAME srv-debian
mail IN CNAME srv-debian[/code]

Fichier db.mondomaine.com.inv

[code]@ IN SOA srv-debian.mondomaine.com. localadmin.mondomaine.com. (
2007010401 ; Serial
3600 ; Refresh [1h]
600 ; Retry [10m]
86400 ; Expire [1d]
600 ) ; Negative Cache TTL [1h]
;
@ IN NS srv-debian.mondomaine.com.

1 IN PTR srv-debian.mondomaine.com.

3.f.4.0.6.2.0.0.0.7.4.0.1.0.0.2 IN PTR srv-debian.mondomaine.com.[/code]

Fichier /etc/resolv.conf

search mondomaine.com mondomaine.com. nameserver 192.168.24.10 nameserver 2001:470:26:4f3::2 nameserver 192.168.24.1

Fichier /etc/default/bind9

[code]# # run resolvconf?
RESOLVCONF=no

startup options for the server

OPTIONS="-u bind -t /var/lib/named"[/code]

Fichier /etc/systemd/system/multi-user.target.wants/bind9.service

[code][Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target

[Service]
ExecStart=/usr/sbin/named -f -u bind -t /var/lib/named
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop

[Install]
WantedBy=multi-user.target[/code]

Un dig nom de domaine déconnecté d’internet

[code]localadmin@srv-debian:~$ dig mondomaine.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> mondomaine.com
;; global options: +cmd
;; connection timed out; no servers could be reached
[/code]
Pas bon… il ne se consulte pas lui même?!?

Un dig IPv4 puis IPv6 déconnecté d’internet

[code]root@srv-debian:/home/localadmin# dig -x 192.168.24.10

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> -x 192.168.24.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14054
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.24.168.192.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 0 msec
;; SERVER: 192.168.24.1#53(192.168.24.1)
;; WHEN: Wed Aug 19 06:50:29 CEST 2015
;; MSG SIZE rcvd: 114

root@srv-debian:/home/localadmin# dig -x 2001:470:26:4f3::2

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> -x 2001:470:26:4f3::2
;; global options: +cmd
;; connection timed out; no servers could be reached
[/code]
Décidément…

Un nslookup etch

localadmin@srv-debian:~$ nslookup etch ;; Got SERVFAIL reply from 192.168.24.1, trying next server ;; connection timed out; no servers could be reached Il y a comme un problème…

Un nslookup local

[code]root@srv-debian:/home/localadmin# nslookup 192.168.24.10
Server: 192.168.24.1
Address: 192.168.24.1#53

** server can’t find 10.24.168.192.in-addr.arpa: NXDOMAIN

localadmin@srv-debian:~$ nslookup 2001:470:26:4f3::2
;; connection timed out; no servers could be reached
[/code]Le même problème…

Un named-checkconf

root@srv-debian:/home/localadmin# named-checkconf -z [color=#BF0000]/etc/bind/named.conf.log:1: 'logging' redefined near 'logging'[/color]

named-checkzone

root@srv-debian:/home/localadmin# named-checkzone mondomaine.com /var/lib/named/var/cache/bind/db.mondomaine.com zone mondomaine.com/IN: loaded serial 2007010401 OK

root@srv-debian:/home/localadmin# named-checkzone 24.168.192.in-addr.arpa /var/lib/named/var/cache/bind/db.mondomaine.com.inv /var/lib/named/var/cache/bind/db.mondomaine.com.inv:1: no TTL specified; using SOA MINTTL instead zone 24.168.192.in-addr.arpa/IN: loaded serial 2007010401 OK

Les fichiers /var/log/update_debug.log, /var/log/security_info.log et /var/log/bind.log sont complètements vides. Je ne trouve rien non plus dans le /var/log/syslog.

J’ai cherché sur le net, mais je n’ai rien trouvé qui puisse m’aider…

Merci d’avance à tous ceux qui peuvent m’aider ou me mettre sur une piste :slightly_smiling:

#2

J’oubliais encore une chose

root@srv-debian:/home/localadmin# /etc/init.d/bind9 reload [....] Reloading bind9 configuration (via systemctl): bind9.serviceJob for bind9.service failed. See 'systemctl status bind9.service' and 'journalctl -xn' for details. failed! root@srv-debian:/home/localadmin# journalctl -xn -- Logs begin at lun 2015-08-17 13:03:42 CEST, end at mer 2015-08-19 08:04:27 CEST. -- aoû 19 08:01:47 srv-debian named[5826]: using up to 4096 sockets aoû 19 08:01:47 srv-debian named[5826]: loading configuration from '/etc/bind/named.conf' aoû 19 08:01:47 srv-debian named[5826]: /etc/bind/named.conf.log:1: 'logging' redefined near 'logging' aoû 19 08:01:47 srv-debian named[5826]: loading configuration: already exists aoû 19 08:01:47 srv-debian named[5826]: exiting (due to fatal error) aoû 19 08:01:47 srv-debian systemd[1]: bind9.service: main process exited, code=exited, status=1/FAILURE aoû 19 08:01:47 srv-debian rndc[5838]: rndc: connect failed: 127.0.0.1#953: connection refused aoû 19 08:01:47 srv-debian systemd[1]: bind9.service: control process exited, code=exited status=1 aoû 19 08:01:47 srv-debian systemd[1]: Unit bind9.service entered failed state. aoû 19 08:04:27 srv-debian systemd[1]: Unit bind9.service cannot be reloaded because it is inactive.