Secondary - SERVFAIL

Mueller, Rex rmueller at esu3.org
Wed Dec 20 14:07:34 UTC 2006 

Mark, 

Thanks for the reply, we got past this and have the server up now. 

-----Original Message-----
From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org] 
Sent: Tuesday, December 19, 2006 4:53 PM
To: Mueller, Rex
Cc: bind-users at isc.org
Subject: Re: Secondary - SERVFAIL 


> We are rebuilding a secondary BIND server on a temporary box. In order
> to migrate from Bind 9.2.1 to 9.3.2 Our current box is running RH9
with
> BIND 9.2.1 
>  
> 
> I've loaded Fedora FC6 with BIND 9.3.2 on a temporary box, 
> 
>  
> 
>  I am able to get BIND 9.3.2 to start and RNDC sees the zone files, 
> 
>  
> 
> I have it setup in the /var/named/chroot with a symbolic link from the
> /var/named/chroot/etc/named.conf to /etc/named.conf 
> 
>  
> 
> I do an RNDC STATUS and see it is reading the zone files, 
> 
> number of zones: 239
> 
> debug level: 0
> 
> xfers running: 0
> 
> xfers deferred: 0
> 
> soa queries in progress: 2
> 
> query logging is OFF
> 
> recursive clients: 0/1000
> 
> tcp clients: 0/100
> 
> server is up and running
> 
>  
> 
> when I query the zone via NSLOOKUP or DIG I get a SERVFAIL 
> 
>  
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10654
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
>  
> 
> My primary server named.conf has the allow-transfer { secondary;
> secondary-temp; }: directives.. 
> 
>  
> 
> My temp named.conf has the following info in the header: 
> 
>  
> 
>  
> 
> options {
> 
>         directory "/etc";
> 
>         allow-transfer { primary-address; };
> 
>         allow-query { any; }; 
> 
>         // query-source address * port 53;
> 
> }; 
> 
>  
> 
> controls {  
> 
>  
> 
>  
> 
> Here is what is being seen in the /var/log/messages
> 
>  
> 
> Dec 19 13:39:50 esutemp kernel: audit(1166553590.778:6905): avc:
denied
> { write } for  pid878 comm="named" name="secondary" dev=dm-0
> inoe47817 scontext=root:system_r:named_t:s0
> tcontext=root:object_r:named_conf_t:s0 tclass=dir
> 
> Dec 19 13:39:50 esutemp named[19877]: zone waterloo/IN: loading master
> file secondary/waterloo: permission denied

	See the FAQ.

Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -

   Why can't named update slave zone database files?

   Why can't named create DDNS journal files or update the master
   zones from journals?

   Why can't named create custom log files? 
 
	http://www.isc.org/sw/bind/FAQ.php

> Dec 19 13:59:10 esutemp named[20107]: zone ben.esu3.k12.ne.us/IN:
> ben_node85.ben.esu3.k12.ne.us/A: bad owner name (check-names)

	ben_node85.ben.esu3.k12.ne.us is NOT a legal hostname.
	ben_node85.ben.esu3.k12.ne.us has NEVER been a legal hostname.

	Only letters, digits and hypens (LDH) are valid characters
	in hostnames.  The above name has a underscore in it.  See
	RFC 952 and RFC 1123.

	If you really want to keep using illegal names then use
	check-names in named.conf to disable the check or turn it
	into a warning.
 
> ..
> 
>  
> 
> ..
> 
> Dec 19 13:59:14 esutemp named[20107]: zone
236.202.205.in-addr.arpa/IN:
> zone transfer deferred due to quota
> 
>  
> 
> On ad naseum. 
> 
>  
> 
> I know the RTFM stuff.. I've been reading it ... Google-ing the
> "permission denied" and "deferred due to quota" yields results of
> unanswered questions..  
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list