trouble with a pair of bind9 servers

Mark Andrews Mark_Andrews at isc.org
Fri Sep 8 14:08:19 UTC 2006 

> i have 2 servers im working with for a test im doing with bind9.  a FreeBSD 
> 6.1-p4, and a FreeBSD 5.5-p3.  both have bind9-9.3.2.1 from ports, 
> without "replace base version" checked.  both are responding correctly for 
> general lookups of hosts out on the internet, even based on the querying 
> clients ip vs the acl on the zones.
> 
> the trouble im having is, that my slave (5.5-p3) will not transfer the zone 
> from the master (6.1-p4).  my /var/log/messages is filled with these:
> 
> Sep  7 21:50:24 fbsd55-2 named[1847]: exiting
> Sep  7 21:50:26 fbsd55-2 named[1924]: starting BIND 9.3.2 -t /var/named -u 
> bind

	Well you are not running 9.3.2-P1.  Set named program in
	rc.conf.

	named_program="/usr/local/sbin/named"

> Sep  7 21:50:26 fbsd55-2 named[1924]: /etc/namedb/named.conf:40: 
> option 'allow-update' is not allowed in 'slave' zone 'dlptest.com'
> Sep  7 21:50:26 fbsd55-2 named[1924]: command channel listening on 
> 127.0.0.1#953
> Sep  7 21:50:26 fbsd55-2 named[1924]: command channel listening on ::1#953
> Sep  7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has 0 SOA
>  
> records
> Sep  7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has no NS
>  
> records
> Sep  7 21:50:26 fbsd55-2 named[1924]: running
> Sep  7 21:50:27 fbsd55-2 named[1924]: dumping master 
> file: /etc/namedb/tmp-UZF5mCCxZP: open: permission denied
> Sep  7 21:50:27 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 
> 192.168.125.91#53: failed while receiving responses: permission denied
> Sep  7 21:51:20 fbsd55-2 named[1924]: dumping master 
> file: /etc/namedb/tmp-SaWWYxV06u: open: permission denied
> Sep  7 21:51:20 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 
> 192.168.125.91#53: failed while receiving responses: permission denied
> 
> this was giving me the impression that the bind user was not able to write 
> to /var/named/etc/namedb, but every time i make a chmod or chown adjustment, 
> it just gets changed back:

	Adjust your config to match the policy in
	/etc/mtree/BIND.chroot.dist.  That's easier than fiddling
	with mergemaster after every upgrade.

	e.g.
	Change

		file "/etc/namedb/dlptest.com.i-slave.hosts";
	to

		file "/etc/namedb/slave/dlptest.com.i-slave.hosts";
	
	
 
> fbsd55-2# /etc/rc.d/named restart
> Stopping named.
> etc/namedb changed
>         user expected 0 found 53 modified
> Starting named.
> fbsd55-2#
> 
> here are my 2 config files (first the master, then the slave)
> 
> acl "dlpnets" {
>         192.168.125.64/26;
>         127.0.0.1;
> };
> options {
>         directory       "/etc/namedb";
>         pid-file        "/var/run/named/pid";
>         dump-file       "/var/dump/named_dump.db";
>         statistics-file "/var/stats/named.stats";
>         listen-on       { 192.168.125.91; 127.0.0.1; };
> };
> view "internal" {
>         match-clients { dlpnets; };
>         recursion yes;
>         zone "." {
>                 type hint;
>                 file "named.root";
>         };
>         zone "0.0.127.IN-ADDR.ARPA" {
>                 type master;
>                 file "master/localhost.rev";
>         };
>         zone "dlptest.com" {
>                 type master;
>                 file "/etc/namedb/dlptest.com.i.hosts";
>                 allow-transfer { any; };
>                 also-notify { 192.168.125.91; };
>                 notify yes;
>                 };
> };
> view "external" {
>         match-clients { any; };
>         recursion no;
>         zone "dlptest.com" {
>                 type master;
>                 file "/etc/namedb/dlptest.com.e.hosts";
>                 };
> };
> 
> 
> 
> (begin the slave named.conf)
> acl "dlpnets" {
>         192.168.125.0/26;
>         192.168.125.91;
>         127.0.0.1;
> };
> 
> options {
>         directory       "/etc/namedb";
>         pid-file        "/var/run/named/pid";
>         dump-file       "/var/dump/named_dump.db";
>         statistics-file "/var/stats/named.stats";
>         listen-on       { 127.0.0.1; 192.168.125.93; };
> };
> view "internal" {
>         match-clients { dlpnets; };
>         recursion yes;
>         zone "." {
>                 type hint;
>                 file "named.root";
>         };
>         zone "0.0.127.IN-ADDR.ARPA" {
>                 type master;
>                 file "master/localhost.rev";
>         };
>         zone "dlptest.com" {
>                 type slave;
>                 masters { 192.168.125.91; };
>                 file "/etc/namedb/dlptest.com.i-slave.hosts";
>                 transfer-source 192.168.125.93;
>                 allow-transfer { any; };
>                 allow-update { 192.168.125.91; };
>                 };
> };
> 
> ive been dinking around with this for a few hours now, and im about to pull 
> what little hair i have left out.  can someone shed light on this for me 
> please?  any help at all would be much appreciated!
> 
> cheers,
> jonathan
> 
> 
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list