by chance, what change did you do to the named.conf to sort out the port problem?

I had exactly the same problem, and I've been battling it for days, until I eventually hit on the solution...

I tried everything: I checked all over the Internet, and found many people with the same problem, but few seem to have solved it, and when they do, they don't bother posting the solution!

I found several references to checking the named.conf and rndc.conf files, to make sure they refer to the same key, port and localhost.

I found several other references to checking that named really is listening on port 953.

But I found no references to what is ACTUALLY the problem in many cases: Even though the rndc.key matches in named.conf and rndc.conf, and named really is listening on port 953, none of that helps if iptables is blocking the communications!

In my case, the solution was simple (after beating my head against the wall for three days...)

Just tell iptables to allow your system to talk to itself on port 953!

Like this:

# iptables -I RH-Lokkit-0-50-INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT --dport 953

(In my case, I'm using a firewall configuration that sets up the table "RH-Lokkit-0-50-INPUT": it might be different in your case!!! )

The IP address “127.0.0.1” is, of course, the loopback address for the system itself, and usually has the name “localhost”.

Yeah, it seems rather stupid that you have to specifically allow localhost LOOPBACK address to talk to itself on port 953, but that's exactly what the problem was!

If you want to make this permanent, then find out from where iptables loads its default set of rules at boot time, and insert the following line in your iptables file:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 127.0.0.1 -d 127.0.0.1 --dport 953 -j ACCEPT

This should probably go in probably from /etc/sysconfig/iptables, but if you are not sure then you can look in the init script that launches iptables, like this:

# more /etc/init.d/iptables

Look for a line that says something like "IPTABLES_CONFIG=/etc/sysconfig/iptables". That will tell you where it loads the default configuration from. That's the file you need to edit, and insert the line above at the appropriate point (before the first “REJECT” rule.

I sure hope this helps someone! I know I would have LOVED to have this info three days ago...

Still having problems after making sure your rndc and named keys match? Here is what I did to solve the problem on my server.

1) Create /etc/rndc.key (use a key generator listed in the other posts to get your secret key)

key "rndckey" {
algorithm hmac-md5 ;
secret "MySecretKey";
};

2) Create /etc/rndc.conf (note the include of rndc.key, this ensures the named and rndc apps both have identical keys)

# Start of rndc.conf
options {
default-server localhost;
default-key "rndckey";
};

server localhost {
key "rndckey";
};

include "/etc/rndc.key";

3) Edit /etc/named.conf and change or add these sections:

options {
directory "/etc/named";
pid-file "/var/run/named.pid";
};

zone "localhost" {
allow-update { none; }; type master; file "localhost.zone"; };

.... blah,blah,blah.... more zones here....

include "/etc/rndc.key";

controls {
inet * allow { any; } keys { rndckey; };
};


4) Create /etc/named/localhost.zone

$TTL 86400
@ IN SOA @ root (
43 ; serial
10800 ; refresh
900 ; retry
604800 ; expire
86400 ; ttl
)



IN NS @
IN A 127.0.0.1
IN AAAA ::1


The winning combo was to use the include in both named.conf and rndc.conf so they key matches - AND - make sure a localhost zone file exists on the system. For some reason Bind9 was having issue with a hard-coded 127.0.0.1 in these files.


HTH,
Lance
Sr. Computer Geek
CharlestonSW.com