DescriptionAdding an “.” To the start of a domain in the allowed domains list will cause named-chroot service to fail. In an HA environment this can trigger a failover event to occur.
Example:
'.data.microsoft.com'
> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-10-20 13:32:16 EDT; 18s ago
Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 3832 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 6485 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Main PID: 3834 (code=exited, status=0/SUCCESS)
Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name
Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name
ScopeVersion: 8.xSolutionWorkaround: Remove any domains that lead with a “.” from the Allowed Domains List.
1. In the UI navigate to System > Settings > Control > Allowed Domains
2. Select the domain and click Delete
3. Once all incorrect domains are deleted, click Save
4. In the appliance CLI, verify the named service is running. Type
service named-chroot status
Example:
> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-20 13:33:48 EDT; 4min 31s ago
Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 7014 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 7011 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7016 (named)
Memory: 363.4M
CGroup: /system.slice/named-chroot.service
└─7016 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
5. Re-add the domains removed, ensuring they do not head with a "."
6. Click Save
Note: Clicking save on the allowed domains page will restart the named-chroot service.
Solution: Addressed in version 8.8.3.
ID 0672073