Zone set for dynamic updating isn't updating

Mark Andrews marka at isc.org
Thu Mar 4 19:40:41 UTC 2021 

The permissions on the directory holding the zone file and journal need to allow named to create files.   Named will recreate new versions of these as part of processing the dynamic update and move them into place once they are complete. 

If you are running Linux also se SELinux settings as they add additional constraints.  Additionally if you are running as root named does not have permission to override file permissions root normally has. 

-- 
Mark Andrews

> On 5 Mar 2021, at 05:59, Bruce Johnson <johnson at pharmacy.arizona.edu> wrote:
> 
> We have one zone set for Active directory to update dynamically that has stopped doing so.
> 
> Someone manually updated the zone without doing a freeze/thaw and the host that was added wasn’t properly resolving. What I found looking for a solution was to freeze the zone, delete the .jnl file, update the serial #, then thaw the zone. That got lookup working properly again, but now the zone is not longer updating. I found a bunch of errors about permissions denied
> 
> Mar  2 14:00:30 example named[42659]: etc/DynZone.Hosts.jnl: create: permission denied
> 
> I created the file and chowned it to named
> 
> but it hasn’t been written to:
> 
> -rw-r--r--. 1 root  root  108578 Feb 22 09:43 DynZone.Hosts
> -rw-rw-r--. 1 named named      0 Mar  2 14:01 DynZone.Hosts.jnl
> 
> I know that there have been new hosts added that should have been updated in that zone.
> 
> It was working before the incident so I don’t think it’s a permissions issue, but I could well be wrong.
> 
> Unfortunately I can’t really find any info on what the permissions SHOULD be for the bind config and files.
> 
> Another clue that permissions are wrong, is that any time I’ve tried to set up logging directives in named.conf restarting it results in a failure due to permissions; but as I mentioned, it was working until recently.
> 
> This is the zone config in named.conf:
> 
> zone “DynZone.com" {
>   type master;
>   file “etc/DynZone.Hosts";
>   check-names ignore;
>   allow-update {"trusted";};
> };
> 
> The trusted acl is a list of our (name) vlans, but checking the config syntax with named-checonf -z shows all are properly loading, and the zone transfers after the manual update did work.
> 
> -- 
> Bruce Johnson
> University of Arizona
> College of Pharmacy
> Information Technology Group
> 
> Institutions do not have opinions, merely customs
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list