remote rndc broken somehow...

Vinny Abello vinny at tellurian.com
Thu Jun 16 17:23:14 UTC 2005 

Hi all,

I have a weird problem that makes no sense from a troubleshooting perspective.

On BIND 9.3.1 on Windows Server 2003 and Windows XP as the client 
running rndc: One of my team members here that admins our name 
servers all of a sudden cannot use rndc from her workstation to 
remotely admin two of three of our name servers. As far as we can 
tell, nothing changed that should affect that. The only recent change 
we made was limiting recursion, but that should have no effect as 
inet control channel is allowing her IP address since it is in the 
same /24 that all of our other working machines are in.

When talking to server 1 and 3 issuing any rndc command, it complains 
that the connection was refused and the protocol on the server might 
be old or the key incorrect. I know the key is correct because it 
works on name server 2 which has the same key in the config file. 
I've even copied the rndc.conf file from my own working machine to 
hers and updated all the binary files and dll's for rndc on her 
machine and still she can only talk to ns2. Everyone else as far as I 
know has no problems with all three servers including myself.

In the logs I see this:

16-Jun-2005 12:43:49.020 general: invalid command from 
www.xxx.yyy.zzz#1128: expired

(IP is masked)

So the server is seeing an invalid command coming from the machine 
running rndc... I thought because the key was invalid, but as I said, 
it works on one server that has the same key and I've copied the 
rndc.conf containing the key to her machine and verified it's 
actually using that copy with no difference in results.

What does "expired" mean at the end of the log entry? That might give 
me some clue.

I'm kind of stumped. Any thoughts or suggestions would be appreciated.


Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of 
fear" -- Mark Twain

More information about the bind-users mailing list