search

ChristianLempa / videos

This is my video documentation. Here you'll find code-snippets, technical documentation, templates, command reference, and whatever is needed for all my YouTube Videos.
MIT License
909 stars 330 forks source link

Bind9 on Docker don't start #39

Closed paloky closed 1 year ago

paloky commented 1 year ago

Hi Christian. I try to install a docker with bind9. I'm following all the steps (both from the video and from here on github), but I can't get Docker to start. In the logs, I can see some "Permission denied" to read a files. And in the last line "resolver priming query complete: failure". And bind don't start.

Any clues? Thank's a lot.

. **root@bind9:/docker# docker-compose up [+] Running 1/0 ⠿ Container bind9 Created 0.0s Attaching to bind9 bind9 | Starting named... bind9 | exec /usr/sbin/named -u "root" "-g" "" bind9 | 23-Feb-2023 20:09:06.290 starting BIND 9.18.4-2ubuntu2.1-Ubuntu (Stable Release) bind9 | 23-Feb-2023 20:09:06.290 running on Linux x86_64 5.15.85-1-pve #1 SMP PVE 5.15.85-1 (2023-02-01T00:00Z) bind9 | 23-Feb-2023 20:09:06.290 built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-9eyUWq/bind9-9.18.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' bind9 | 23-Feb-2023 20:09:06.294 running as: named -u root -g bind9 | 23-Feb-2023 20:09:06.294 compiled by GCC 12.2.0 bind9 | 23-Feb-2023 20:09:06.294 compiled with OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 bind9 | 23-Feb-2023 20:09:06.294 linked to OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 bind9 | 23-Feb-2023 20:09:06.294 compiled with libxml2 version: 2.9.14 bind9 | 23-Feb-2023 20:09:06.294 linked to libxml2 version: 20914 bind9 | 23-Feb-2023 20:09:06.294 compiled with json-c version: 0.16 bind9 | 23-Feb-2023 20:09:06.294 linked to json-c version: 0.16 bind9 | 23-Feb-2023 20:09:06.294 compiled with zlib version: 1.2.11 bind9 | 23-Feb-2023 20:09:06.294 linked to zlib version: 1.2.11 bind9 | 23-Feb-2023 20:09:06.294 ---------------------------------------------------- bind9 | 23-Feb-2023 20:09:06.294 BIND 9 is maintained by Internet Systems Consortium, bind9 | 23-Feb-2023 20:09:06.294 Inc. (ISC), a non-profit 501(c)(3) public-benefit bind9 | 23-Feb-2023 20:09:06.294 corporation. Support and training for BIND 9 are bind9 | 23-Feb-2023 20:09:06.294 available at https://www.isc.org/support bind9 | 23-Feb-2023 20:09:06.294 ---------------------------------------------------- bind9 | 23-Feb-2023 20:09:06.294 found 4 CPUs, using 4 worker threads bind9 | 23-Feb-2023 20:09:06.294 using 4 UDP listeners per interface bind9 | 23-Feb-2023 20:09:06.298 config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future bind9 | 23-Feb-2023 20:09:06.302 loading configuration from '/etc/bind/named.conf' bind9 | 23-Feb-2023 20:09:06.302 unable to open '/etc/bind/bind.keys'; using built-in keys instead bind9 | 23-Feb-2023 20:09:06.314 looking for GeoIP2 databases in '/usr/share/GeoIP' bind9 | 23-Feb-2023 20:09:06.318 using default UDP/IPv4 port range: [32768, 60999] bind9 | 23-Feb-2023 20:09:06.318 using default UDP/IPv6 port range: [32768, 60999] bind9 | 23-Feb-2023 20:09:06.318 listening on IPv4 interface lo, 127.0.0.1#53 bind9 | 23-Feb-2023 20:09:06.326 listening on IPv4 interface eth0, 172.18.0.2#53 bind9 | 23-Feb-2023 20:09:06.326 Could not open '//run/named/named.pid'. bind9 | 23-Feb-2023 20:09:06.326 Please check file and directory permissions or reconfigure the filename. bind9 | 23-Feb-2023 20:09:06.326 could not open file '//run/named/named.pid': Permission denied bind9 | 23-Feb-2023 20:09:06.326 generating session key for dynamic DNS bind9 | 23-Feb-2023 20:09:06.326 Could not open '//run/named/session.key'. bind9 | 23-Feb-2023 20:09:06.326 Please check file and directory permissions or reconfigure the filename. bind9 | 23-Feb-2023 20:09:06.326 could not open file '//run/named/session.key': Permission denied bind9 | 23-Feb-2023 20:09:06.326 could not create //run/named/session.key bind9 | 23-Feb-2023 20:09:06.326 failed to generate session key for dynamic DNS: permission denied bind9 | 23-Feb-2023 20:09:06.330 sizing zone task pool based on 1 zones bind9 | 23-Feb-2023 20:09:06.330 none:98: 'max-cache-size 90%' - setting to 6994MB (out of 7771MB) bind9 | 23-Feb-2023 20:09:06.330 using built-in root key for view _default bind9 | 23-Feb-2023 20:09:06.330 set up managed keys zone for view _default, file 'managed-keys.bind' bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 10.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 16.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 17.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 18.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 19.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 20.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 21.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 22.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 23.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.330 automatic empty zone: 24.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 25.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 26.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 27.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 28.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 29.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 30.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 31.172.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 168.192.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 64.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 65.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 66.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 67.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 68.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 69.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.354 automatic empty zone: 70.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 71.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 72.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 73.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 74.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 75.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 76.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 77.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 78.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 79.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 80.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 81.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 82.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 83.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 84.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 85.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 86.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.358 automatic empty zone: 87.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.362 automatic empty zone: 88.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 89.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 90.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 91.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 92.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 93.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 94.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 95.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 96.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 97.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 98.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.366 automatic empty zone: 99.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 100.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 101.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 102.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 103.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 104.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 105.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 106.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 107.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 108.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 109.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 110.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 111.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 112.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 113.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 114.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 115.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.370 automatic empty zone: 116.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 117.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 118.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 119.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 120.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 121.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 122.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 123.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 124.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 125.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 126.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 127.100.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 0.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 127.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 254.169.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 2.0.192.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 100.51.198.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.374 automatic empty zone: 113.0.203.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: D.F.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 8.E.F.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 9.E.F.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: A.E.F.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: B.E.F.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: EMPTY.AS112.ARPA bind9 | 23-Feb-2023 20:09:06.378 automatic empty zone: HOME.ARPA bind9 | 23-Feb-2023 20:09:06.382 configuring command channel from '/etc/bind/rndc.key' bind9 | 23-Feb-2023 20:09:06.382 command channel listening on 127.0.0.1#953 bind9 | 23-Feb-2023 20:09:06.386 configuring command channel from '/etc/bind/rndc.key' bind9 | 23-Feb-2023 20:09:06.386 command channel listening on ::1#953 bind9 | 23-Feb-2023 20:09:06.386 not using config file logging statement for logging due to -g option bind9 | 23-Feb-2023 20:09:06.414 managed-keys-zone: loaded serial 9 bind9 | 23-Feb-2023 20:09:06.422 address not available resolving './NS/IN': 2001:500:12::d0d#53 bind9 | 23-Feb-2023 20:09:06.426 address not available resolving './NS/IN': 2001:500:1::53#53 bind9 | 23-Feb-2023 20:09:06.426 zone demo.home.es/IN: loaded serial 2022122800 bind9 | 23-Feb-2023 20:09:06.426 address not available resolving './NS/IN': 2001:7fe::53#53 bind9 | 23-Feb-2023 20:09:06.426 all zones loaded bind9 | 23-Feb-2023 20:09:06.426 running bind9 | 23-Feb-2023 20:09:06.426 address not available resolving './NS/IN': 2001:7fd::1#53 bind9 | 23-Feb-2023 20:09:06.426 address not available resolving './NS/IN': 2001:500:9f::42#53 bind9 | 23-Feb-2023 20:09:06.426 address not available resolving './NS/IN': 2001:dc3::35#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:503:ba3e::2:30#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:503:c27::2:30#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:500:2::c#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:500:a8::e#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:500:2d::d#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:500:2f::f#53 bind9 | 23-Feb-2023 20:09:06.430 address not available resolving './NS/IN': 2001:500:200::b#53 bind9 | 23-Feb-2023 20:09:06.434 SERVFAIL unexpected RCODE resolving './NS/IN': 192.112.36.4#53 bind9 | 23-Feb-2023 20:09:06.438 SERVFAIL unexpected RCODE resolving './NS/IN': 198.97.190.53#53 bind9 | 23-Feb-2023 20:09:06.438 SERVFAIL unexpected RCODE resolving './NS/IN': 192.36.148.17#53 bind9 | 23-Feb-2023 20:09:06.442 managed-keys-zone: No DNSKEY RRSIGs found for '.': success bind9 | 23-Feb-2023 20:09:06.446 SERVFAIL unexpected RCODE resolving './NS/IN': 193.0.14.129#53 bind9 | 23-Feb-2023 20:09:06.450 SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.83.42#53 bind9 | 23-Feb-2023 20:09:06.454 SERVFAIL unexpected RCODE resolving './NS/IN': 202.12.27.33#53 bind9 | 23-Feb-2023 20:09:06.458 SERVFAIL unexpected RCODE resolving './NS/IN': 198.41.0.4#53 bind9 | 23-Feb-2023 20:09:06.462 SERVFAIL unexpected RCODE resolving './NS/IN': 192.58.128.30#53 bind9 | 23-Feb-2023 20:09:06.466 SERVFAIL unexpected RCODE resolving './NS/IN': 192.33.4.12#53 bind9 | 23-Feb-2023 20:09:06.470 SERVFAIL unexpected RCODE resolving './NS/IN': 192.203.230.10#53 bind9 | 23-Feb-2023 20:09:06.474 SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.91.13#53 bind9 | 23-Feb-2023 20:09:06.478 SERVFAIL unexpected RCODE resolving './NS/IN': 192.5.5.241#53 bind9 | 23-Feb-2023 20:09:06.482 SERVFAIL unexpected RCODE resolving './NS/IN': 199.9.14.201#53 bind9 | 23-Feb-2023 20:09:06.482 resolver priming query complete: failure**

paloky commented 1 year ago

Hi again.

Finally, I have found the error. It is not a bug in docker itself, but in the Bind9 configuration.

In the configuracion file "named.conf", It's necessary to add the option "dnssec-validation no;" inside "options" for the forwarder to work.

acl internal {
  10.168.0.0/24;
};

options {
  dnssec-validation no;
  forwarders {
    1.1.1.1;
    1.0.0.1;
  };
  allow-query { internal; };
};

zone "paloky.home" IN {
  type master;
  file "/etc/bind/paloky-home.zone";
};
ChristianLempa commented 1 year ago

Thanks for letting me know the root cause! I'll add it to the documentation as soon as I have more clue about this setting.