Zone Transfer from MS DNS to Bind
Chris Buxton
cbuxton at menandmice.com
Wed Aug 2 18:13:06 UTC 2006
You're having problems with SELinux, a new security enhancement for
Linux that augments the traditional filesystem security model
inherited from Unix. Think of SELinux as a firewall between processes
and the filesystem. Either disable SELinux or learn how to administer
it.
The 'audit' messages from the kernel relate to SELinux. In your log
messages, named is unable to write out its log file for channel
'default_debug' (which you've confusingly put at /var/run/named.run)
and the copy of the transferred zone, all because of the SELinux policy.
Chris Buxton
Men & Mice
On Aug 2, 2006, at 7:04 AM, Shaheen wrote:
> Hi,
> am having a problem configuring Bind as secondary server for an MS
> Windows 2k based primary DNS.
>
> what i get in log file is
> name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: end of
> transfer
> name named[10827]: loading configuration from '/etc/named.conf'
> name kernel: audit(1154526782.984:309): avc: denied { write } for
> pid=10831 comm="named" name="named" dev=dm-0 ino=5303719
> scontext=root:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
> name named[10827]: logging channel 'default_debug' file
> '/var/named/named.run': permission denied
> name named[10827]: zone abc.com/IN/internal: Transfer started.
> name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53:
> connected
> using 192.168.1.14#58206
> name named[10827]: dumping master file: tmp-xRln0Jv84M: open:
> permission denied
> name kernel: audit(1154526783.624:310): avc: denied { write } for
> pid=10829 comm="named" name="named" dev=dm-0 ino=5303719
> scontext=root:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
> name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: failed
> while receiving responses: permission denied
> name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: end of
> transfer
>
>
> and permissons for /var/named is drwxr-x--- 6 root named 4096
> Jul
> 23 19:14 named
>
> when i changed the permission to drwxr-x--- 6 named named 4096
> Jul 23 19:14 named
>
> i got the same error.
>
> my named.conf is
> options {
> directory "/var/named/";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> datasize default;
> recursive-clients 30000;
> max-cache-size 800000000;
> pid-file "/var/run/named/named.pid";
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
> };
>
>
> logging {
> category lame-servers {
> null;
>
> };
>
>
>
>
>
> channel "default_debug" {
> file "/var/named/named.run"; // write to
> named.run in
> // the working directory
> // Note: stderr is used
> instead
> // of "named.run"
> // if the server is started
> // with the '-f' option.
> severity critical; // log at the server's
> // current debug level};
> };
> };
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>
> };
>
> zone "abc.com" {type slave; file "db.zone"; masters {x.x.x.x; };};
> include "/etc/rndc.key"
>
>
> please advice
>
> Thank you
>
>
>
More information about the bind-users
mailing list