Adding extra domain doesn't work

fuess · July 28, 2014, 9:00pm

Got everything running fine for my main domain. I now wanted to add another domain. So pointed the nameserver for that domain to my mailinabox. That works, because pingability answers with the right ns1 and ns2.
I ran tools/mail.py and added the mail address with the new domain name. It somewhat worked, because the zones are added to nsd for example.
But somehow no A records are returned. When I dig the domain name at my ns1 I get no ANSWER section and says status: SERVFAIL.
Do I need to restart something? I tried the mailinabox service, to no avail.

JoshData · July 28, 2014, 9:29pm

It could be that the nsd service stopped running, I guess.

Can you let me know what the two domains are so I can dig from here?

fuess · July 28, 2014, 9:42pm

The box is at box.fuess.nl with nameserver ns1.box.fuess.nl and ns2…

The main domain responds fine. The new domain is marleenheemskerk.nl.

Strange thing is the nsd.conf contains 2 times the same ip-adress:

zonesdir: "/etc/nsd/zones"
ip-address: 149.210.177.248
ip-address: 149.210.178.61
ip-address: 149.210.178.61

I did sudo service nsd stop and got stop: Unknown instance: so it wasn’t running. When i do sudo service nsd stop the syslog shows:

nsd is already running as 32437, continuing
can't bind udp socket: Address already in use
server initialization failed, nsd could not be started

And while I was scanning the log I noticed:

box named[30385]: validating @0x7fa35c5f00a0: ns1.box.fuess.nl A: no valid signature found
box named[30385]: validating @0x7fa35c5f00a0: ns2.box.fuess.nl A: no valid signature found
box named[30385]: validating @0x7fa35c5f00a0: box.fuess.nl A: no valid signature found
box named[30385]: validating @0x7fa35c60ce10: box.fuess.nl MX: no valid signature found
box named[30385]: validating @0x7fa35c5f00a0: fuess.nl NS: no valid signature found
box named[30385]: validating @0x7fa35c60ce10: fuess.nl MX: no valid signature found
box named[30385]: validating @0x7fa35c5f00a0: fuess.nl A: no valid signature found
box named[30385]: error (unexpected RCODE SERVFAIL) resolving 'marleenheemskerk.nl/NS/IN': 149.210.177.248#53
box named[30385]: error (unexpected RCODE SERVFAIL) resolving 'marleenheemskerk.nl/MX/IN': 149.210.177.248#53
box named[30385]: error (unexpected RCODE SERVFAIL) resolving 'marleenheemskerk.nl/A/IN': 149.210.177.248#53

JoshData · July 28, 2014, 10:16pm

I don’t think the duplicated IP address is the problem. But you could try fixing that and restarting nsd to see if it helps.

In syslog, named is actually a different nameserver. The box installs bind9 as a local-only, DNSSEC-enforcing nameserver. E.g. when you send outbound mail, that’s how the box figures out the destination IP address. So these messages are indicating that it can’t connect to the box’s public DNS server (nsd), which makes sense since nsd had an error while restarting.

Something like this problem came up for someone else. Seemed to be a conflict between bind9 and nsd both trying to be the DNS server.

Can you try:

service nsd stop
service bind9 stop
service nsd start # see if it fails with bind9 off

service nsd stop
service bind9 start
service nsd start # see if it fails with all services running

If it’s still not working, can you paste /etc/bind/named.conf.options?

fuess · July 28, 2014, 10:30pm

With bind9 stopped and starting nsd I get this:

sudo service nsd start
nsd start/pre-start, process 468

But log keeps complaining about the can't bind udp socket: Address already in use.

named.conf.options:

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //     0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

    listen-on { 127.0.0.1; };
};

What I find strange is that dig -ging the main domain at the namesever works fine. Also the whats_next script complains for marleenheemskerk.nl:

✖  The nameservers set on this domain are incorrect. They are currently [Not Set].

For fuess.nl and box.fuess.nl it’s ok.

fuess · July 29, 2014, 11:25am

Rebooting the VPS fixed it! Of course this shouldn’t be necessary, so would still like to help debug this issue, so future users won’t run into this issue. Let me know if I can do something…

JoshData · July 29, 2014, 12:29pm

All right. Thanks for sticking through it. Let’s keep an eye on the issue.

Player · August 1, 2014, 10:25pm

I’ve just tested this locally, nsd is guranteed broken with duplicate ip-address entries.

With the recent change to determining the nsd ips this shouldn’t happen anymore though.

JoshData · August 1, 2014, 10:39pm

Good to know. Thanks for looking into that.