Solution to slave zone transfer problem (at least in my case)
Mark Andrews
Mark_Andrews at isc.org
Tue Mar 22 23:55:25 UTC 2005
> Frank Saxton wrote:
>
> >Thanks for the response Kevin! After about 4 days and reading literally
> >hundreds of forum posts, web pages and so on, I finally figured it out with
> >a clue from someone who posted something about this subject. This really
> >ought to be a FAQ item IMO since literally legions of people have
> >apparently slugged it out trying to solve this problem over time. The
> >"responses" to these questions are usually something vague along the lines
> >of "there's a problem with named.conf" or "you have a permissions problem".
> >Duh... that may indeed have been the case with the other thousand or so
> >people who had this problem, but with over 20 years of *NIX Systems
> >Engineering experience, I think I know how to set up file permissions.
> >
> >Anyway, I was getting the classic "permissions denied" messages same as
> >everyone else. With named debug turned on, I was seeing write deny
> >messages for /dev/sda3 (/var) but nothing more informational than that.
> >
> >I am not a DNS person and I don't know when the /var/named/slaves scheme
> >came along. I am using Bind 9.2.4. But this, not "file permissions" is
> >what bit me.
> >
> >On the DNS slave, you need to set zone, file "slave/zonename"; not just file
> >"zonename"; THANK YOU CHRIS!!!!!!
> >
> >Then you need to (apparently) copy your zone files into /var/named/slaves
> >making them 664 and owned and grouped by named.
> >
> >Once I got it to work, I didn't do a lot of testing to figure out all of the
> >little pieces so you might be able to get away with a different mask or
> >ownerships. But if you're having this problem and the condescending "your
> >files aren't writeable" responses aren't helping, try this.
> >
> >Why named can't see the files in chroot on a slave is anyone's guess. My
> >symlinks are right and my file protections are right and everything was
> >indeed writeable. Perhaps this was fixed in later releases of bind.
> >
> >Anyway, I hope this information saves some time for others who get dragged
> >into this snake pit.
> >
> Frank,
> There's nothing magical about any "/var/named/slaves" convention, nor do
> I follow that convention on any of my chroot'ed-and-running-unprivileged
> slave servers. If you've solved your problem, you've done so in a
> roundabout way.
>
> Is your /var/named directory itself writable? Since named writes temp
> files, it needs to have write permission for the working directory
> itself, not just to the zone files in that directory. I have a "data"
> subdirectory off my chroot, for instance, and that works just fine...
>
> - Kevin
I've added the following FAQ entry to the bind9 distribution.
Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
receiving responses: permission denied" error messages.
A: These indicate a filesystem permission error preventing named creating /
renaming the temporary file. These will usually also have other associated
error messages like
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing the file. Named
writes the new cache file to a temporary file then renames it to the name
specified in named.conf to ensure that the contents are always complete.
This is to prevent named loading a partial zone in the event of power
failure or similar interrupting the write of the master file.
Note file names are relative to the directory specified in options and
any chroot directory ([<chroot dir>/][<options dir>]).
e.g.
If named is invoked as "named -t /chroot/DNS" with the following
named.conf then "/chroot/DNS/var/named/sl" needs to be writable
by the user named is running as.
options {
directory "/var/named";
};
zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
}
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list