Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎10-23-2020 10:01 AM Edited on ‎11-24-2025 08:15 AM By Community Manager

Article Id 189673

Technical Tip: Invalid domains cause named service to fail

Description

 

This article describes an issue where adding a '.' at the start of a domain in the allowed domains list causes the 'named-chroot' service to fail. In an HA environment, this can trigger a failover event.

Example: '.data.microsoft.com'

> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-10-20 13:32:16 EDT; 18s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 3832 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 6485 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Main PID: 3834 (code=exited, status=0/SUCCESS)

Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name
Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name

Scope

 

FortiNAC.

Solution


As a workaround, remove any domains that lead with a “.” from the Allowed Domains List.

 

  1. In the UI, navigate to System -> Settings -> Control -> Allowed Domains.
  2. Select the domain and select Delete.
  3. Once all incorrect domains are deleted, select Save
  4. In the appliance CLI, verify the named service is running. Enter the following command:

> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-20 13:33:48 EDT; 4min 31s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 7014 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7011 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7016 (named)
   Memory: 363.4M
   CGroup: /system.slice/named-chroot.service
           └─7016 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

 

  1. Re-add the domains removed, ensuring they do not head with a '.'
  2. Select Save.
 
Note: Selecting Save on the allowed domains page will restart the named-chroot service.
 
Solution: The issue is resolved in later firmware versions. In this case, an error message will be displayed to prevent this issue from occurring.
 
domains.PNG
 
Related articles:
Labels:
3508
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.