Recently, I performed a clean installation of HestiaCP on Debian 12.5. Initially, all services were running perfectly. However, when trying to edit the main IP in a client’s DNS zone, I received an error message.
Upon checking the HestiaCP logs located at:
/var/log/hestia/error.log
I found the following errors:
2024-05-29 12:17:20 v-restart-service ‘bind9’ ‘’ [Error 20]
2024-05-29 12:17:20 v-restart-dns ‘’ [Error 20]
By examining the scripts involved, I noticed both use the following commands:
sudo systemctl restart bind9
sudo systemctl reload bind9
For testing purposes, I ran both commands. Surprisingly:
sudo systemctl restart bind9
- Worked finesudo systemctl reload bind9
- Failed with an error
Before addressing the reload issue, I checked the status of bind9 and found some minor errors:
managed-keys.bind.jnl: open: permission denied
May 29 21:23:31 meusite.com.br named[105433]: managed-keys-zone: keyfetch_done:dns_journal_open → unexpected error
May 29 21:23:31 meusite.com.br named[105433]: managed-keys-zone: error during managed-keys processing (unexpected error): D>
The issue is caused by bind9 lacking permissions for administration. To fix this, grant the appropriate permissions:
sudo chown -R bind:bind /var/cache/bind
sudo chown -R bind:bind /var/cache/bind/managed-keys.bind
sudo chown -R bind:bind /var/cache/bind/managed-keys.bind.jnl
sudo systemctl restart named.service
sudo systemctl status named.service
This should resolve the problem.
Now, let’s address the reload error.
When running the command:
sudo systemctl reload named.service
I receive an error message. Checking the status with:
systemctl status named.service
The main error displayed is:
Process: 4505 ExecReload=/usr/sbin/rndc reload (code=exited, status=1/FAILURE)
This occurs due to a misconfiguration of rndc
. Here’s how to resolve it:
Steps to Resolve rndc
Configuration Issue
- Generate the
rndc
Key
sudo rndc-confgen -a
This generates a key file at /etc/bind/rndc.key
.
- Configure
named.conf
Edit the main BIND configuration file:
sudo vim /etc/bind/named.conf
Add or adjust the controls
section to include the rndc
key:
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
- Configure
rndc.conf
Edit the rndc
configuration file:
sudo vim /etc/bind/rndc.conf
Add the following content:
include "/etc/bind/rndc.key";
options {
default-server 127.0.0.1;
default-key "rndc-key";
};
- Verify Permissions
sudo chown bind:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key
sudo chown bind:bind /etc/bind/rndc.conf
sudo chmod 640 /etc/bind/rndc.conf
- Restart BIND Service
sudo systemctl restart bind9
- Test
rndc
sudo rndc status
After completing these steps, you should be able to reload bind9 without issues:
sudo systemctl reload bind9
This guide should help you resolve the rndc
reload error and ensure smooth operation of bind9 on your server.