rndc: error: /etc/bind/rndc.key:5:未知选项'options‘..无法加载rndc配置

Question

我正在写我的Bsc论文，它讨论了基于DNS的命名实体身份验证(DANE)。为了设置DANE记录，我首先需要设置一个简单的BIND服务器(稍后安装DNSSEC..)。我是Linux的新手，所以非常感谢详细的帮助:)

我在Ubuntu12.04上安装了BIND9。配置"named.conf.options“、"named.conf.local”和"rndc.key“。但是，当我尝试重新启动bind时(使用命令：/etc/init.d/bind9 restart)，我得到以下错误：

  root@ubuntu:/etc/bind# /etc/init.d/bind9 restart
     * Stopping domain name service... bind9                                                                                                       
rndc: error: /etc/bind/rndc.key:5: unknown option 'options'
    rndc: could not load rndc configuration
                                                                                                                             [ OK ]
     * Starting domain name service... bind9                                                                                       [fail] 
    root@ubuntu:

我也遵循了本教程(http://ubuntuforums.org/showthread.php?t=1543750)，用于分析日志的命令：tail /var/log/daemon | grep named对我不起作用！

这是我的named.conf文件：

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/rndc.key";
key "rndc-key" {
       algorithm hmac-md5;
       secret "2mPij4Zk4JSh0KKUZPPEgA==";
};
controls {
       inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
};

这是我的rndc.key文件：

key "rndc-key" {
        algorithm hmac-md5;
        secret "2mPij4Zk4JSh0KKUZPPEgA==";
};
options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "2mPij4Zk4JSh0KKUZPPEgA==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#       allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

这是我的区域设置：

$ORIGIN .
$TTL 86400 ; 1 day

danetest.com. IN SOA srv1.danetest.com. hostmaster.danetest.com. (
        2014010307 ; serial
        8H ; refresh
        4H ; retry;
        25W ; expire
        1D ; minimum
)

danetest.com. IN NS srv1.danetest.com.

$ORIGIN danetest.com.

localhost IN A 127.0.0.1

daneverified IN A 192.168.1.101
danebroken   IN A 192.168.1.101

非常感谢您的帮助！谢谢！:)

Answer 1

rndc.key不应包含除密钥以外的任何内容。然后，您可以将其包含在rndc的/etc/bind/rndc.conf中，并包含在/etc/bind/named.conf或其includes中的某个位置。我在https://github.com/chicks-net/dns-cache-performance/tree/master/configs/bind上有一个可以做到这一点的工作配置，这需要一些欺骗。里面有一个用于生成rndc.key的Makefile，但您必须手动清除“伪”选项。