I added some extra DNS configuration parameters in my pri.site.tld file at the end of the file, below where is says: Code: ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;; Restarting Bind 1st gave me problems, because it needs a seperate blank line at the end (there are multiple in the default: oke). Then after making another change with ISPConfig in this domain, it removes the blank lines at the end (below my custom entries). As a result, this domain gives an error like: Code: Jan 26 11:47:37 xxxxxx01 named[29638]: dns_master_load: pri.obfuscated.tld:43: isc_lex_gettoken() failed: unexpected end of input Jan 26 11:47:37 xxxxxx01 named[29638]: dns_master_load: pri.obfuscated.tld:43: unexpected end of input Jan 26 11:47:37 xxxxxx01 named[29638]: zone obfuscated.tld/IN: loading master file pri.obfuscated.tld: unexpected end of input Of course the changes are not committed in the upstream DNS servers. I tried to add another MAKE MANUAL ... line below my custom entries (+ empty lines), but that failed also. After completely removing the custom entries, ISPConfig was able to generate a valid pri.domain.tld file again and the restart of Bind went oke. Sorry, but I don't have time at the moment to fix this myself or do more investigations, but thought I'd bring this to the dev forum anyway, maybe someone stumbles over the same issue (and maybe even someone has the time to look into this
I just found another "issue", which I modified on my systems. The named.conf template does not contain an include directive for the named.conf.options file, so I modified /root/ispconfig/isp/conf/named.conf.master as below: Code: options { pid-file "/var/run/bind/run/named.pid"; directory "{BINDDIR}"; auth-nxdomain no; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; [COLOR="Red"] include "/etc/bind/named.conf.options";[/COLOR] }; // // a caching only nameserver config // zone "." { type hint; ...... <rest of unchanged file> I also modified the bind.conf.options file to read: Code: // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. // query-source address * port 53; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // I have put here the IP's of my upstream ISP dns servers, // }; forwarders { nn.nn.nn.nn; nn.nn.nn.nn; }; // auth-nxdomain no; # conform to RFC1035 // By default, name servers should only perform recursive domain // lookups for their direct clients. If recursion is left open // to the entire Internet, your name server could be used to // perform distributed denial of service attacks against other // innocent computers. For more information on DDoS recursion: // http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0987 allow-recursion { localnets; }; // If you have DNS clients on other subnets outside of your // server's "localnets", you can explicitly add their networks // without opening up your server to the Internet at large: // allow-recursion { localnets; 192.168.0.0/24; }; // If your name server is only listening on 127.0.0.1, consider: // allow-recursion { 127.0.0.1; }; I had to strip a bit here, because by default the bind.conf.options file starts with Code: options { at the beginning, but that failed of course. You can not have the options directive twice. I realize these modifications are Linux distribution specific and I didn't investigate a more generic solution. Sorry, but this works short term for me and maybe this post helps other somewhere sometime. The way I've done it now, my master domain passes all dnsstuff.com tests
