Articles in this section

See more

Unable to apply changes in DNS Settings with DNSSEC sgned: bind9.service: Reload operation timed out. Killing reload process

Avatar
Pavel Mikhaylov
Updated
Follow

Symptoms

  • While Plesk is applying new DNS records the following can be found in /var/log/syslog:

    CONFIG_TEXT: systemd[1]: Reloading BIND Domain Name Server.named
    [12505]: received control channel command 'reload'named
    [12505]: loading configuration from '/etc/named.conf'
    systemd[1]: bind9.service: Reload operation timed out. Killing reload process.
    systemd[1]: Reload failed for BIND Domain Name Server.

  • Then all websites stopped resolving:

    # dig @localhost example.com
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost example.com
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

Cause

While signing DNS zone with DNSSEC - BIND generates signatures and can hang on /dev/random due to lack of entropy.

Resolution

  1. Specify random-device /dev/urandom in /etc/named.conf in 'options' section:

    CONFIG_TEXT: options { allow-recursion { localhost; }; random-device "/dev/urandom";

  2. Restart the service:

    # service bind9 restart

    OR

    # service named-chroot restart

Note: As an option, it is possible to install haveged package which would increase entropy on the server.
Mind that such package is developed by 3rd-party and was not tested with Plesk.

Comments

4 comments

Sort by Date Votes
  • Avatar
    b_p

    Why isn't one of these options the standard setting?

    Ad 1)

    Bind only allows exactly ONE option block in its config file. However, the Plesk-defined file /etc/named.conf has this block in that part of the file that is automatically changed by Plesk. Thus, it is questionable if the settings from 1) and 2) will persist if Plesk updates /etc/named.conf!

    Ad 2)

    haveged could be a required package for Plesk installations!

    0
    Permalink
  • Avatar
    Nikolay Zhmuk

    @b_p I have checked on test environment that /etc/named.conf fine is not being overwritten during installation of Plesk MUs, updating of DNS settings via Plesk UI, re-installing of bind9 package.

    I have reported such behavior to our developers and such behavior will be improved in future release.

    Thank you for the input.

    0
    Permalink
  • Avatar
    b_p (Edited )

    @Nikolay

    If I have a look at /etc/named.conf, the first lines look like this

    // -- THE FOLLOWING LINES WERE GENERATED BY PLESK. IF YOU MODIFY THEM, THEY WILL BE OVERWRITTEN WHEN THESE SETTINGS ARE MANAGED IN PLESK UI. --
    options {
      // a set of options
    };



    // some other lines

    // -- END OF LINES GENERATED BY PLESK. --


    // -- PLEASE ADD YOUR CUSTOM DIRECTIVES BELOW THIS LINE. --
    // ...
    // -- END OF YOUR CUSTOM DIRECTIVES. --

    In order to define the random device, you need to include that in the options section shown above in your code example.

    However, as the Plesk-generated code snippet above shows, an option section is already defined in a file section that will be overwritten when you change settings in the Plesk UI. Thus, adding your proposed line to the file is possible but expected to disappear once you change the DNS settings. Now one could think "well, then let's just add another options section in custom directives part (which is supposed to be kept during changes in Plesk). However, that's not possible since the options section can only be defined once!

    0
    Permalink
  • Avatar
    Artyom Baranov

    @b_p,

    As Nikolay mentioned, `/etc/named.conf` is not being overwritten so it is possible to keep `random-device "/dev/urandom";` string in the main `options` section.

     

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles