Technical Tip: Invalid domains cause named service to fail

Description

This article describes an issue where adding a '.' at the start of a domain in the allowed domains list causes the 'named-chroot' service to fail. In an HA environment, this can trigger a failover event.

Example: '.data.microsoft.com'

> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-10-20 13:32:16 EDT; 18s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 3832 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 6485 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Main PID: 3834 (code=exited, status=0/SUCCESS)

Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name
Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name

Scope

FortiNAC.

Solution

As a workaround, remove any domains that lead with a “.” from the Allowed Domains List.

1. In the UI, navigate to System -> Settings -> Control -> Allowed Domains.
   
2. Select the domain and select Delete.
   
3. Once all incorrect domains are deleted, select Save
   
4. In the appliance CLI, verify the named service is running. Enter the following command:
   
   

> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-20 13:33:48 EDT; 4min 31s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 7014 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7011 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7016 (named)
   Memory: 363.4M
   CGroup: /system.slice/named-chroot.service
           └─7016 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

5. Re-add the domains removed, ensuring they do not head with a '.'
6. Select Save.