Recent Problem with BIND 9 under Windows XP
Vincent Poy
vincepoy at gmail.com
Thu Jun 28 14:44:49 UTC 2007
On 6/28/07, Danny Mayer <mayer at ntp.isc.org> wrote:
> Vincent Poy wrote:
> > Greetings everyone:
> >
> > I'm having a problem with starting the ISC BIND service under Windows
> > XP SP2 with all the latest MS patches. I had been running BIND 9 for
> > quite some time and every version of BIND9 including beta's, release
> > candidates and release versions including 9.4.1 have ran fine until
> > recently which I am not sure when since I don't usually monitor if
> > BIND was started except after each installation and reboot. And the
> > config file has not been modified. BIND is owned by the named account
> > and is installed in C:\Windows\System32\dns with that directory and
> > all directory under it having the named account with full permission
> > to read/write. My system acts as a secondary DNS with named.conf
> > located in C:\WINDOWS\SYSTEM32\dns\etc. When the system tries to
> > start ISC BIND service, it shows in the event manager under System as
> > a Error 2 events:
> >
> > Timeout (30000 milliseconds) waiting for the ISC BIND service to connect.
> >
> > followed by:
> >
> > The ISC BIND service failed to start due to the following error:
> > The service did not respond to the start or control request in a
> > timely fashion.
> >
>
> This indicates that named did not register itself when the service
> started. It needs to do that within the timeout period. I have only seen
> this happen when there are commandline arguments that keep it in the
> foreground yet it's still being run as a service. The only options are
> -f and -g that would cause it to do that and those shouldn't normally be
> used when running it as a service. Did you start the service manually
> via the MSC? What does the following key look like?
In the MSC, it's started as c:\windows\system32\dns\bin\named.exe with
no options. I tried adding the -f and -g options but the results were
the same. And like I mentioned previously, the service fails even
when manually started since it gives that pop-up window but the
service starts fine when it's run as Local System instead of the named
user. named.exe runs fine as the named user from the command line and
from the vince user who is a administrator account.
> KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\named\ImagePath
C:\WINDOWS\system32\dns\bin\named.exe
> What permissions does the named account have to access the named.conf
> file and the associated files? Make sure that you don't have a pid file
> in the directory. In fact you don't need a pid file so set the option to
> none:
> The named account has full access to c:\windows\system32\dns except I
> noticed that all directories from c:\windows\system32\dns and under when you
> click on properties has read-only while the files do not have that.
>
> pid-file none;
The named account has full access to c:\windows\system32\dns except I
noticed that all directories from c:\windows\system32\dns and under
when you click on property has read-only while the files do not have
that. Here are the permissions of the c:\windows\system32\dns and all
directories under it which are etc and bin:
C:\Documents and Settings\vince>cacls c:\windows\system32\dns
c:\windows\system32\dns SOLAR\named:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
DELETE
FILE_DELETE_CHILD
C:\Documents and Settings\vince>cacls c:\windows\system32\dns\bin
c:\windows\system32\dns\bin SOLAR\named:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
DELETE
FILE_DELETE_CHILD
C:\Documents and Settings\vince>cacls c:\windows\system32\dns\etc
c:\windows\system32\dns\etc SOLAR\named:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
DELETE
FILE_DELETE_CHILD
As for the pid-file, I always had that option even when I installed
BIND back in 2004 on this system and it never seem to have caused any
problems.
Cheers,
Vince
> > If I try to start the ISC BIND service manually, I will get a pop-up
> > window after 5-10 seconds that says and the same two events are in the
> > event manager under System as a Error:
> >
> > Could not start ISC BIND service on Local Computer.
> >
> > Error 1053: The service did not respond to the start or control
> > request in a timely fashion
> >
> > If I start named with the -g option in the Command Prompt, this is what happens:
> >
> > C:\Documents and Settings\vince>c:\windows\system32\dns\bin\named -g
> > 27-Jun-2007 9:51:32.755 starting BIND 9.4.1 -g
> > 27-Jun-2007 9:51:32.755 found 2 CPUs, using 2 worker threads
> > 27-Jun-2007 9:51:32.770 loading configuration from 'C:\WINDOWS\system32\dns\etc\
> > named.conf'
> > 27-Jun-2007 9:51:32.770 listening on IPv4 interface TCP/IP Interface 1, 192.168.
> > 0.120#53
> > 27-Jun-2007 9:51:32.786 listening on IPv4 interface Loopback Interface 2, 127.0.
> > 0.1#53
> > 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 3, 192.168.
> > 106.1#53
> > 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 4, 192.168.
> > 220.1#53
> > 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 5, 208.201.
> > 244.225#53
> > 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 6, 192.168.
> > 1.120#53
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 127.IN-ADDR.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 254.169.IN-ADDR.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 2.0.192.IN-ADDR.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: D.F.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 8.E.F.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: 9.E.F.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: A.E.F.IP6.ARPA
> > 27-Jun-2007 9:51:32.817 automatic empty zone: B.E.F.IP6.ARPA
> > 27-Jun-2007 9:51:32.833 command channel listening on 127.0.0.1#953
> > 27-Jun-2007 9:51:32.833 ignoring config file logging statement due to -g option
> > 27-Jun-2007 9:51:32.848 zone 0.0.127.in-addr.arpa/IN: loaded serial 20041019
> > 27-Jun-2007 9:51:32.848 zone 0.168.192.in-addr.arpa/IN: loaded serial 2003101801
> >
> > 27-Jun-2007 9:51:32.848 zone 1.168.192.in-addr.arpa/IN: loaded serial 2004102701
> >
> > 27-Jun-2007 9:51:32.848 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
> > .0.0.0.0.0.IP6.INT/IN: loaded serial 20041019
> > 27-Jun-2007 9:51:32.848 zone DNALOGIC.NET/IN: loaded serial 2003101805
> > 27-Jun-2007 9:51:32.864 zone 0.168.192.in-addr.arpa/IN: sending notifies (serial
> > 2003101801)
> > 27-Jun-2007 9:51:32.864 running
> > 27-Jun-2007 9:51:32.864 zone 1.168.192.in-addr.arpa/IN: sending notifies (serial
> > 2004102701)
> > 27-Jun-2007 9:51:32.864 zone DNALOGIC.NET/IN: sending notifies (serial 200310180
> > 5)
> > 27-Jun-2007 10:13:45.848 zone 1.168.192.in-addr.arpa/IN: refresh: could not set
> > file modification time of 'slave/db.192.168.1': permission denied
> >
> > So it appears to run correctly from the command prompt.
> >
> > My named.conf consists of the following as I am using the standard
> > named.conf format from my primary FreeBSD server and just modifying it
> > for the Windows port.
> >
> > // $FreeBSD: src/etc/namedb/named.conf,v 1.20 2004/11/04 05:24:29 gshapiro Exp $
> > //
> > // Refer to the named.conf(5) and named(8) man pages, and the documentation
> > // in /usr/share/doc/bind9 for more details.
> > //
> > // If you are going to set up an authoritative server, make sure you
> > // understand the hairy details of how DNS works. Even with
> > // simple mistakes, you can break connectivity for affected parties,
> > // or cause huge amounts of useless Internet traffic.
> >
> > options {
> > directory "c:\windows\system32\dns\etc";
> > pid-file "c:\windows\system32\dns\etc\named.pid";
> > dump-file "c:\windows\system32\dns\etc\named_dump.db";
> > statistics-file "c:\windows\system32\dns\etc\named.stats";
> >
> > // If named is being used only as a local resolver, this is a safe default.
> > // For named to be accessible to the network, comment this option, specify
> > // the proper IP address, or delete this option.
> > // listen-on { 127.0.0.1; };
> >
> > // If you have IPv6 enabled on this system, uncomment this option for
> > // use as a local resolver. To give access to the network, specify
> > // an IPv6 address, or the keyword "any".
> > // listen-on-v6 { ::1; };
> >
> > // In addition to the "forwarders" clause, you can force your name
> > // server to never initiate queries of its own, but always ask its
> > // forwarders only, by enabling the following line:
> > //
> > // forward only;
> >
> > // If you've got a DNS server around at your upstream provider, enter
> > // its IP address here, and enable the line below. This will make you
> > // benefit from its cache, thus reduce overall DNS traffic in the Internet.
> > /*
> > forwarders {
> > 127.0.0.1;
> > };
> > */
> > forwarders {
> > 208.201.224.11;
> > 208.204.224.33;
> > };
> > /*
> > * If there is a firewall between you and nameservers you want
> > * to talk to, you might need to uncomment the query-source
> > * directive below. Previous versions of BIND always asked
> > * questions using port 53, but BIND versions 8 and later
> > * use a pseudo-random unprivileged UDP port by default.
> > */
> > // query-source address * port 53;
> > };
> >
> > // If you enable a local name server, don't forget to enter 127.0.0.1
> > // first in your /etc/resolv.conf so this server will be queried.
> > // Also, make sure to enable it in /etc/rc.conf.
> >
> > zone "." {
> > type hint;
> > file "named.root";
> > };
> > /*
> > zone "0.0.127.IN-ADDR.ARPA" {
> > type master;
> > file "master/localhost.rev";
> > };
> >
> > // RFC 3152
> > zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
> > {
> > type master;
> > file "master/localhost-v6.rev";
> > };
> >
> > // RFC 1886 -- deprecated
> > zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
> > type master;
> > file "master/localhost-v6.rev";
> > };
> > */
> > // NB: Do not use the IP addresses below, they are faked, and only
> > // serve demonstration/documentation purposes!
> > //
> > // Example slave zone config entries. It can be convenient to become
> > // a slave at least for the zone your own domain is in. Ask
> > // your network administrator for the IP address of the responsible
> > // primary.
> > //
> > // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
> > // (This is named after the first bytes of the IP address, in reverse
> > // order, with ".IN-ADDR.ARPA" appended.)
> > //
> > // Before starting to set up a primary zone, make sure you fully
> > // understand how DNS and BIND works. There are sometimes
> > // non-obvious pitfalls. Setting up a slave zone is simpler.
> > //
> > // NB: Don't blindly enable the examples below. :-) Use actual names
> > // and addresses instead.
> >
> > /*
> > zone "example.com" {
> > type slave;
> > file "slave/example.com";
> > masters {
> > 192.168.1.1;
> > };
> > };
> >
> > // An example dynamic zone
> > key "exampleorgkey" {
> > algorithm hmac-md5;
> > secret "sf87HJqjkqh8ac87a02lla==";
> > };
> >
> > zone "example.org" {
> > type master;
> > allow-update {
> > key "exampleorgkey";
> > };
> > file "dynamic/example.org";
> > };
> >
> > zone "0.168.192.in-addr.arpa" {
> > type slave;
> > file "slave/0.168.192.in-addr.arpa";
> > masters {
> > 192.168.1.1;
> > };
> > };
> > */
> >
> > zone "0.0.127.in-addr.arpa" {
> > type master;
> > file "master/db.127.0.0";
> > };
> >
> > zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
> > type master;
> > file "master/db.127.0.0-v6";
> > };
> >
> > zone "0.168.192.in-addr.arpa" {
> > type slave;
> > file "slave/db.192.168.0";
> > masters {
> > 208.201.244.224;
> > };
> > };
> >
> > zone "1.168.192.in-addr.arpa" {
> > type slave;
> > file "slave/db.192.168.1";
> > masters {
> > 208.201.244.224;
> > };
> > };
> >
> > zone "DNALOGIC.NET" {
> > type slave;
> > file "slave/db.DNALOGIC.NET";
> > masters {
> > 208.201.244.224;
> > };
> > };
> >
> > /*
> > zone "ULTIMATESOUND.NET" {
> > type slave;
> > file "slave/db.ULTIMATESOUND.NET";
> > masters {
> > 66.193.144.6;
> > };
> > };
> > */
> >
> > /*
> > zone "NOLS.COM" {
> > type slave;
> > file "slave/db.NOLS.COM";
> > masters {
> > 208.179.75.219;
> > };
> > };
> > */
> >
> > Does anyone know how I can find out what is causing ISC BIND service
> > not to start when it worked correctly in the past? I have uninstalled
> > and reinstalled 9.4.1 and the results are the same. I don't have
> > another machine to test as this is a home network.
> >
> > Thank you for any help in advance!
> >
> > Cheers,
> > Vince
> >
> >
> >
>
>
More information about the bind-users
mailing list