If you have DNSSEC enabled and configured on your primary DNS server, it's a good practice to also configure DNSSEC on your secondary DNS server. DNSSEC helps to ensure the authenticity and integrity of DNS data, and having it enabled on both servers is a security best practice.
To configure DNSSEC on your secondary DNS server, you'll need to perform the following steps:
Install DNSSEC Tools (if not already installed): Ensure that DNSSEC tools are installed on your secondary DNS server. The specific package names might vary depending on your Linux distribution, but commonly used tools are part of the "dnssec-tools" package. You can typically install it using your package manager. For example, on Ubuntu:
sudo apt-get install dnssec-tools
Generate DNSSEC Keys (if not already generated): You'll need to generate DNSSEC keys for each signed zone. Use the "dnssec-keygen" command to generate the keys. For example:
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE ashiane.house
This command will generate a key pair for the "ashiane.house" zone. You'll get two files: a private key (Kashiane.house.++.private) and a public key (Kashiane.house.++.key).
Configure Zone Signing: Add DNSSEC-related configuration to your zone configuration file for the "ashiane.house" zone on your secondary DNS server. You'll need to specify the DNSSEC keys and related parameters. Here's an example of what your zone configuration could look like with DNSSEC:
zone "ashiane.house" IN {
type slave;
file "/var/cache/bind/forward.ashiane.house.db";
masters { 176.9.167.206; };
key-directory "/etc/bind/keys"; // Directory where your DNSSEC keys are stored
auto-dnssec maintain;
inline-signing yes;
};
Make sure to replace "/etc/bind/keys" with the actual directory where your DNSSEC keys are stored.
Reload Bind: After configuring DNSSEC for the zone, reload or restart your Bind9 service to apply the changes:
sudo systemctl reload bind9
Verify DNSSEC Configuration: You can use DNSSEC validation tools to verify that your DNSSEC configuration is correct. Tools like "dnssec-verify" can help you check the signatures and keys.
By following these steps, you should have DNSSEC enabled on your secondary DNS server for the "ashiane.house" zone. Repeat the process for any other DNSSEC-signed zones you have on your primary server. This ensures that both your primary and secondary servers are DNSSEC-aware and can provide secure DNS resolution for your zones.
Diagnosis
can you try to reset the failed counter with the following command:
After that may try to stop the service:
After that check if all services are stopped and no process is running:
If everything is stopped and not running try to start bind9:
If this still fails check if there are any more errors during startup:
We can also check the server and help you if you provide us the login credentials.
NOTE: instead of
bind9
please try again with the service namenamed
.bind9
seems to be the alias fornamed
.