Zone Transfer from MS DNS to Bind

Kevin Darcy kcd at daimlerchrysler.com
Fri Aug 11 02:24:13 UTC 2006 

Something _other_ than the regular Unix/Linux file/directory permissions 
are preventing named from writing to that directory. E.g. MAC as 
described in http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385

                                                                         
                                 - Kevin

Shaheen wrote:
> Hi,
> am having a problem configuring Bind as secondary server for an MS
> Windows 2k based primary DNS.
>
> what i get in log file is
> name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: end of
> transfer
>  name named[10827]: loading configuration from '/etc/named.conf'
>  name kernel: audit(1154526782.984:309): avc:  denied  { write } for
> pid=10831 comm="named" name="named" dev=dm-0 ino=5303719
> scontext=root:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
>  name named[10827]: logging channel 'default_debug' file
> '/var/named/named.run': permission denied
>  name named[10827]: zone abc.com/IN/internal: Transfer started.
>  name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: connected
> using 192.168.1.14#58206
>  name named[10827]: dumping master file: tmp-xRln0Jv84M: open:
> permission denied
>  name kernel: audit(1154526783.624:310): avc:  denied  { write } for
> pid=10829 comm="named" name="named" dev=dm-0 ino=5303719
> scontext=root:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
>  name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: failed
> while receiving responses: permission denied
>  name named[10827]: transfer of 'abc.com/IN' from x.x.x.x#53: end of
> transfer
>
>
> and permissons for /var/named is drwxr-x---  6 root    named   4096 Jul
> 23 19:14 named
>
> when i changed the permission to drwxr-x---  6 named    named   4096
> Jul 23 19:14 named
>
> i got the same error.
>
> my named.conf is
> options {
>         directory "/var/named/";
>         dump-file "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         datasize default;
>         recursive-clients 30000;
>         max-cache-size 800000000;
>         pid-file "/var/run/named/named.pid";
>         /*
>          * If there is a firewall between you and nameservers you want
>          * to talk to, you might need to uncomment the query-source
>          * directive below.  Previous versions of BIND always asked
>          * questions using port 53, but BIND 8.1 uses an unprivileged
>          * port by default.
>          */
>          // query-source address * port 53;
> };
>
>
> logging {
> category lame-servers {
> null;
>
> };
>
>
>
>
>
> channel "default_debug" {
>     file "/var/named/named.run";                   // write to
> named.run in
>                                         // the working directory
>                                         // Note: stderr is used instead
>                                         // of "named.run"
>                                         // if the server is started
>                                         // with the '-f' option.
>     severity critical;                   // log at the server's
>                                         // current debug level};
>  };
> };
>
> controls {
>         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>
> };
>
> zone   "abc.com" {type slave; file  "db.zone"; masters {x.x.x.x; };};
> include "/etc/rndc.key"
>
>
> please advice
>
> Thank you
>
>
>
>
>
>

More information about the bind-users mailing list