Here are some tips for anyone trying to install NicTool (http://www.nictool.com/) on RedHat Enterprise / CentOS 6 and not getting a working result. NicTool is a web and CLI-based DNS record manager for those not familiar with it. It’s really nice because it supports both web and CLI-based tools for managing the data, whether on the same server as the ‘server’ portion, or a remote server, and there is also an API you can use for interfacing with the data using your own software tools. It also supports exporting the data in multiple formats for a few different authoritative name servers, or again, you can use the API to pull that data yourself if you need to push it to something else like a DNS service.
My first experience with NicTool was attempting to get version 2.21 running on a newly installed copy of CentOS 6 x86_64 and it had its hiccups. Some pre-reqs I’d recommend installing first from yum include:
- httpd
- httpd-devel
- mod_perl
- mod_ssl
- mysql-server
- mysql
- mysql-libs
Here are my steps to install it and the issues I ran into:
- Download the software from the author’s website; NicTool-2.21.tar.gz is the file at the time of this writing. It has both the client and server which you’ll have to extract separately.
- Switch to the server/NicToolServer-2.21/ directory.
- Normally you’d start the build and install process at this point but I’m going to give you a small detour to fix a problem I ran into after the fact. Not yet fixed as of v2.21, there’s a bug that will prevent you from defining CNAME records that begin with a leading underscore, which is becoming more and more common as of late. Here is the patch (in ‘patch’ format; see http://en.wikipedia.org/wiki/Patch_%28Unix%29 or http://www.gnu.org/software/patch/patch.html if not familiar) which I found at https://www.tnpi.net/support/forums/index.php/topic,1046.0.html:
diff --git a/server/lib/NicToolServer/Zone.pm b/server/lib/NicToolServer/Zone.pm index 63ed72c..a3c7e28 100644 --- a/server/lib/NicToolServer/Zone.pm +++ b/server/lib/NicToolServer/Zone.pm @@ -1154,6 +1154,9 @@ sub valid_hostname { if ( $field eq 'name' && $type eq 'SRV' && $first_char eq '_' ) { # except for SRV } + elsif ( $type eq 'CNAME' && $first_char eq '_' ) { + # CNAME can delegate DMARC records, and perhaps others + } elsif ( $first_char =~ /[^a-zA-Z0-9]/ ) { $self->error( $field, "$warn_prefix must begin with a letter or digit: RFC 1912"); $has_error++; diff --git a/server/lib/NicToolServer/Zone/Record/Sanity.pm b/server/lib/NicToolServer/Zone/Record/Sanity.pm index 3530121..9797085 100644 --- a/server/lib/NicToolServer/Zone/Record/Sanity.pm +++ b/server/lib/NicToolServer/Zone/Record/Sanity.pm @@ -545,16 +545,17 @@ sub get_invalid_chars { return '[^a-fA-F0-9:]' if $type eq 'AAAA' && $field eq 'address'; return '[^0-9\.]' if $type eq 'A' && $field eq 'address'; - if ( $field eq 'name' ) { - # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC) - # DKIM: delegated _domainkey in RFC 5016, 5.3 - return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS)$/; - - # DNS & BIND, 4.5: Names that are not host names can consist of any - # printable ASCII character. I feel like this is providing enough rope - # for users to hang themselves. The code is here, but disabled. - #return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/; - }; + # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC) + # DKIM: delegated _domainkey in RFC 5016, 5.3 + # CNAME: delegated _dmarc (and perhaps other uses) + return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS|CNAME)$/; + + # DNS & BIND, 4.5: Names that are not host names can consist of any + # printable ASCII character. I feel like this is providing enough rope + # for users to hang themselves. The code is here, but disabled. +# if ( $field eq 'name' ) { +# return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/; +# }; # allow / in reverse zones, for both name & address: RFC 2317 return '[^a-zA-Z0-9\-\.\/]' if $zone_text =~ /(in-addr|ip6)\.arpa[\.]{0,1}$/i;If you’re not comfortable with ‘patch’, don’t worry, here’s what you do to patch things manually:
- From the extracted files, edit lib/NicToolServer/Zone.pm. At line 1157 of the file, add the following three lines:
elsif ( $type eq 'CNAME' && $first_char eq '_' ) { # CNAME can delegate DMARC records, and perhaps others } - Edit the file lib/NicToolServer/Zone/Record/Sanity.pm. Lines 548 to 557 will contain the following code:
if ( $field eq 'name' ) { # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC) # DKIM: delegated _domainkey in RFC 5016, 5.3 return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS)$/; # DNS & BIND, 4.5: Names that are not host names can consist of any # printable ASCII character. I feel like this is providing enough rope # for users to hang themselves. The code is here, but disabled. #return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/; };Replace those lines with the following:
# allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC) # DKIM: delegated _domainkey in RFC 5016, 5.3 # CNAME: delegated _dmarc (and perhaps other uses) return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS|CNAME)$/; # DNS & BIND, 4.5: Names that are not host names can consist of any # printable ASCII character. I feel like this is providing enough rope # for users to hang themselves. The code is here, but disabled. # if ( $field eq 'name' ) { # return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/; # };
- From the extracted files, edit lib/NicToolServer/Zone.pm. At line 1157 of the file, add the following three lines:
- Okay, with the patches out of the way, we’re back on track to get this thing installed. Normally, you’d execute “bin/nt_install_deps.pl” which will find and install any dependencies you may need. I’m not big on having that kind of thing automated; I like to know what all’s being installed, so up to you, the easy way is run bin/nt_install_deps.pl and skip down to step 8 (click), or, continue on and let’s do things manually. I knew the software requires a lot of perl libraries, so the first thing I did was attempt to build the makefile by running the standard “perl Makefile.PL”. In my case, it spit out the following:
# perl Makefile.PL Checking if your kit is complete... Looks good Warning: prerequisite APR::Table 0 not found. Warning: prerequisite Apache::DBI 0 not found. Warning: prerequisite BIND::Conf_Parser 0 not found. Warning: prerequisite CGI 3 not found. Warning: prerequisite DBIx::Simple 0 not found. Warning: prerequisite MIME::Base32 0 not found. Warning: prerequisite Net::DNS::Zone::Parser 0 not found. Warning: prerequisite NicTool 0 not found. Warning: prerequisite Params::Validate 0.8 not found. Warning: prerequisite RPC::XML 0 not found. Warning: prerequisite RPC::XML::Parser 0 not found. Warning: prerequisite SOAP::Lite 0.51 not found. Warning: prerequisite Test::More 0 not found. Warning: prerequisite TestConfig 0 not found. Warning: prerequisite Time::TAI64 2 not found. Warning: prerequisite XML::Parser 0 not found. Warning: prerequisite mod_perl 0 not found. Warning: prerequisite parent 0.2 not found. Checking if your kit is complete... Looks good Warning: prerequisite RPC::XML 1 not found. Warning: prerequisite RPC::XML::Parser 0 not found. Warning: prerequisite SOAP::Lite 0.51 not found. Warning: prerequisite Test::More 0 not found. Warning: prerequisite TestConfig 0 not found. Writing Makefile for NicTool Writing Makefile for NicToolServer
- Not a huge deal, I’m okay with installing perl libraries. If you’re not, see my tutorial on that at http://www.ispcolohost.com/2013/07/15/installing-cpan-modules-for-perl/ Before I start doing it manually though, I did want to check to see if I could get any out of the normal CentOS yum repositories so I checked. Oh, also, I was already starting out with all of the following installed on the server:
perl-Archive-Tar perl-BSD-Resource perl-Compress-Raw-Zlib perl-Compress-Zlib perl-CPAN perl-Crypt-OpenSSL-Bignum perl-Crypt-OpenSSL-Random perl-Crypt-OpenSSL-RSA perl-DBD-MySQL perl-DBI perl-devel perl-Digest-HMAC perl-Digest-SHA1 perl-Digest-SHA perl-Encode-Detect perl-ExtUtils-MakeMaker perl-ExtUtils-ParseXS perl-HTML-Parser perl-HTML-Tagset perl-IO-Compress-Base perl-IO-Compress-Zlib perl-IO-Socket-INET6 perl-IO-Socket-SSL perl-IO-Zlib perl-libs perl-libwww-perl perl-Mail-DKIM perl-MailTools perl-Module-Pluggable perl-NetAddr-IP perl-Net-DNS perl-Net-IP perl-Net-LibIDN perl-Net-SSLeay perl-Package-Constants perl-Pod-Escapes perl-Pod-Simple perl-Socket6 perl-String-CRC32 perl-Test-Harness perl-Text-Iconv perl-TimeDate perl-Time-HiRes perl-URI
You can install any of those using “yum install NAME” where you just put the name in. The remaining requirements that can be satisfied with yum were:
perl-CGI perl-DBIx-Simple perl-Params-Validate perl-SOAP-Lite perl-XML-Parser
- Okay, so time to go to work on installing the rest from CPAN. Just work your way through the requirements one by one; i.e., the make process says “Warning: prerequisite APR::Table 0 not found.”, so you try to install APR::Table via CPAN using the steps in the link I gave you earlier if not familiar. Install all of the prereq’s as well. Oh yeah, at least one of the pre-reqs is going to require you have gcc installed, so you may need to install that as well if your server doesn’t have it by default; it’s in yum of course.
- This module gave me issues not passing its testing, so it wouldn’t install: Net::DNS::Zone::Parser
- When this occurs, you’ll want to drop out of the CPAN shell and probably do something along these lines: cd ~/.cpan/build/Net-DNS-Zone-Parser-0.02-* which should put you in the build directory that cpan was trying from. That will of course error out if you tried more than once and there is more than one copy extracted, so just pick one to cd into.
- In the failed module’s directory:
perl Makefile.PL
-
make install
- Go back to the CPAN shell and keep on going.
- This module also gave me issues: TestConfig
- The problem is it requires Net::FTP::Common which in turn requires Net::FTP, and for whatever reason, installing Net::FTP via CPAN seems to require communicating with the Oregon State University Open Source Lab at ftp.osuosl.org where it gets stuck in an endless loop trying and failing to retrieve something. I gave up and downloaded/installed it manually:
wget http://search.cpan.org/CPAN/authors/id/T/TB/TBONE/Net-FTP-Common-7.0.d.tar.gz tar zxvf Net-FTP-Common-7.0.d.tar.gz cd Net-FTP-Common-7.0.d perl Makefile.PL make install
- For whatever reason, even if you install the yum mod_perl, the makefile still complains that it’s not installed. This is safe to ignore.
- Okay, install time!
-
perl Makefile.PL make install clean
- You’ll find your life will be much easier if you use the default location for this software, which is /usr/local/nictool/. The reason is that all the docs have the expectation that it will be there, as do some of the config files and their settings. Forum posts if you go there for support will also commonly reference that. With that being said, the directory you’ve been working from, probably named NicToolServer-2.21, will end up being named server and located under /usr/local/nictool/, so make that happen; i.e.:
cd .. mkdir /usr/local/nictool/ mv NicToolServer-2.21 /usr/local/nictool/server/
- At this point I think it makes more sense to configure MySQL and the databases rather than apache (which is what the default install doc tells you to do), so, next up, cd to /usr/local/nictool/server/sql/ and edit the file create_tables.pl. By default it creates your nictool database with a name and username you provide, but a default password which you may or may not like, and it assumes your MySQL root user has no password, so all of that may need correction before you run “perl create_tables.pl”. Once you have it the way you want, run that command.
- Edit the /usr/local/nictool/server/lib/nictoolserver.conf file and make it match the info you just set up for the database.
- Now, lets set up Apache. The author suggests this:
<IfDefine !MODPERL2> PerlFreshRestart On </IfDefine> PerlTaintCheck Off Listen 8082 PerlRequire /usr/local/nictool/server/lib/nictoolserver.conf <VirtualHost 127.0.0.1:8082> KeepAlive Off <Location /> SetHandler perl-script PerlResponseHandler NicToolServer </Location> <Location /soap> SetHandler perl-script PerlResponseHandler Apache::SOAP #PerlResponseHandler Apache2::SOAP PerlSetVar dispatch_to "/usr/local/nictool/server, NicToolServer::SOAP" </Location> </VirtualHost> - Personally I changed the Listen directive to be Listen 127.0.0.1:8082 so it’s only listening on the non-standard port locally.
- Try to start apache; didn’t work for me, I got:
Starting httpd: Syntax error on line 2 of /etc/httpd/conf.d/nictool.conf: Invalid command 'PerlFreshRestart', perhaps misspelled or defined by a module not included in the server configuration
- Get rid of this and it should allow Apache to start:
<IfDefine !MODPERL2> PerlFreshRestart On </IfDefine>
- Wow, okay, let’s install the client now. cd ~/client/NicToolClient-2.21/
- Oops, missing JSON, yum install perl-JSON -y
- perl Makefile.PL ; make install clean
-
cd ../ ; mv NicToolClient-2.21 /usr/local/nictool/client
- Edit /usr/local/nictool/client/lib/nictoolclient.conf and update any defaults for zones that you need; otherwise it should be fine. If your NicTool server is not local, then you’ll have to adjust for that as well in the host field.
- Configure Apache; author suggests (edited to run on port 80, you can set it up for 443 on your own):
- Restart apache.
- In theory, you should now have a working copy of NicTool. Well, hit your web page and see. In my case, I got the login screen along with: “SOAP: transport error: http://localhost:8082/soap: 500 Internal Server Error”
- Checking /var/log/httpd/error_log says I have this problem:
[Mon Mar 31 15:13:29 2014] [error] [client 127.0.0.1] Illegal field name 'APR::Table=HASH(0x7ff01ea53e28)' at /usr/share/perl5/vendor_perl/SOAP/Transport/HTTP.pm line 796\n
- If you see that, it means a bug in the HTTP::Message perl module has not been fixed yet. The last version known to work is 6.04, so if you need that, grab it:
wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/HTTP-Message-6.04.tar.gz
-
tar zxvf HTTP-Message-6.04.tar.gz cd HTTP-Message-6.04 perl Makefile.PL make install service httpd restart
- Okay try again. If things work for you the way they did for me, you should now be able to log in as root and the password you gave during setup.
- If you see this in your logs:
DBI connect(‘database=nictool;host=localhost;port=3306′,’nictool’,…) failed: Access denied for user ‘nictool’@’localhost’ (using password: YES) at /usr/local/share/perl5/Apache/DBI.pm line 236
Check your /usr/local/nictool/server/lib/nictoolserver.conf for database credentials.
- If you see this in your logs:
[Sun Mar 30 20:12:40 2014] [error] [client 127.0.0.1] Illegal field name ‘APR::Table=HASH(0x7fcc06bf0e58)’ at /usr/local/share/perl5/SOAP/Transport/HTTP2.pm line 103\n
Then you didn’t downgrade the HTTP::Message module like I told you to.
- If you have what appears to be a functioning copy of NicTool but it is running very slow sporadically, and you see this in your logs:
Client error: 301: nt_user_id: Required parameters missing ModPerl::ROOT::ModPerl::Registry::usr_local_nictool_client_htdocs_user_2ecgi:/usr/local/nictool/client/htdocs/user.cgi:55 at /usr/local/nictool/client/lib/NicToolClient.pm line 1316.
Client error: 301: nt_user_id: Required parameters missing ModPerl::ROOT::ModPerl::Registry::usr_local_nictool_client_htdocs_user_2ecgi:/usr/local/nictool/client/htdocs/user.cgi:276 at /usr/local/nictool/client/lib/NicToolClient.pm line 1316.You probably are running the Apache2::SOAP module in your Apache config instead of Apache::SOAP. I had tried that one first and had the issue, reverted, issue went away.
HI
Wonderful post, this helped me figure out stuff that went wrong with the NicTool configuration.Unlike the other know-it-all bloggers yours was precise and upto the mark.
Thank you for this post.
I am facing problem with the nt_import.pl file. I am trying to import from an existing tinydns server using the import tool and i get the following error.
“( SOAP: transport error: http://127.0.0.1:8082/soap: 403 Forbidden ) at /usr/local/share/perl5/NicToolServer/Import/Base.pm line 199, line 5.”
No matter what i do with regards to changing my httpd config file to use APACHE2::SOAP/APACHE::SOAP it doesnt work.Not sure what i am doing wrong.
This is what i get in the apache log
[Fri Nov 01 05:07:45.361762 2019] [:error] [pid 113650:tid 140130240820992] [client 127.0.0.1:41296] client denied by server configuration: /var/www/html/soap
Appreciate your help with this.
Thanks
Shyam
Have you checked your apache error log for the reason for the 403 status? It sounds like perhaps there’s a rule in there not permitting access from 127.0.0.1 to 127.0.0.1 at the web server level. You may find the relevant error in /var/log/httpd/error_log if it’s stock redhat/centos. This is my simple apache config for the soap listener:
Listen 8082 PerlRequire /usr/local/nictool/server/lib/nictoolserver.conf <VirtualHost 127.0.0.1:8082> KeepAlive Off <Location /> SetHandler perl-script PerlResponseHandler NicToolServer </Location> <Location /soap> SetHandler perl-script PerlResponseHandler Apache::SOAP #PerlResponseHandler Apache2::SOAP PerlSetVar dispatch_to "/usr/local/nictool/server, NicToolServer::SOAP" </Location> </VirtualHost>Oh, just noticed mine has the Apache2 handler commented out and is using Apache::SOAP
HI
Thanks for the response. The only error in my error log is
“[Sun Nov 10 23:29:53.599166 2019] [:error] [pid 128549:tid 140686015788800] [client 127.0.0.1:45602] client denied by server configuration: /var/www/html/soap”
I am using the Apache::SOAP as well in my config file. I even tried replacing the 127.0.0.1 part with a “*” to ensure that it accepts all requests.
Listen 8082
PerlRequire /usr/local/nictool/server/lib/nictoolserver.conf
# DocumentRoot /usr/local/nictool/client/htdocs
KeepAlive Off
SetHandler perl-script
PerlResponseHandler NicToolServer
SetHandler perl-script
PerlResponseHandler Apache::SOAP
PerlSetVar dispatch_to “/usr/local/nictool/server, NicToolServer::SOAP”
Appreciate your help on this.
Thanks
Shyam
HI
found the solution to the problem i was facing. I had mod_evasive package installed on my system. removed it and that solved my problem.
Thanks for your help and suggest you to add this part in your blog.
Regards
Shyam