trouble with a pair of bind9 servers
Mark Andrews
Mark_Andrews at isc.org
Fri Sep 8 14:08:19 UTC 2006
> i have 2 servers im working with for a test im doing with bind9. a FreeBSD
> 6.1-p4, and a FreeBSD 5.5-p3. both have bind9-9.3.2.1 from ports,
> without "replace base version" checked. both are responding correctly for
> general lookups of hosts out on the internet, even based on the querying
> clients ip vs the acl on the zones.
>
> the trouble im having is, that my slave (5.5-p3) will not transfer the zone
> from the master (6.1-p4). my /var/log/messages is filled with these:
>
> Sep 7 21:50:24 fbsd55-2 named[1847]: exiting
> Sep 7 21:50:26 fbsd55-2 named[1924]: starting BIND 9.3.2 -t /var/named -u
> bind
Well you are not running 9.3.2-P1. Set named program in
rc.conf.
named_program="/usr/local/sbin/named"
> Sep 7 21:50:26 fbsd55-2 named[1924]: /etc/namedb/named.conf:40:
> option 'allow-update' is not allowed in 'slave' zone 'dlptest.com'
> Sep 7 21:50:26 fbsd55-2 named[1924]: command channel listening on
> 127.0.0.1#953
> Sep 7 21:50:26 fbsd55-2 named[1924]: command channel listening on ::1#953
> Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has 0 SOA
>
> records
> Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has no NS
>
> records
> Sep 7 21:50:26 fbsd55-2 named[1924]: running
> Sep 7 21:50:27 fbsd55-2 named[1924]: dumping master
> file: /etc/namedb/tmp-UZF5mCCxZP: open: permission denied
> Sep 7 21:50:27 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from
> 192.168.125.91#53: failed while receiving responses: permission denied
> Sep 7 21:51:20 fbsd55-2 named[1924]: dumping master
> file: /etc/namedb/tmp-SaWWYxV06u: open: permission denied
> Sep 7 21:51:20 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from
> 192.168.125.91#53: failed while receiving responses: permission denied
>
> this was giving me the impression that the bind user was not able to write
> to /var/named/etc/namedb, but every time i make a chmod or chown adjustment,
> it just gets changed back:
Adjust your config to match the policy in
/etc/mtree/BIND.chroot.dist. That's easier than fiddling
with mergemaster after every upgrade.
e.g.
Change
file "/etc/namedb/dlptest.com.i-slave.hosts";
to
file "/etc/namedb/slave/dlptest.com.i-slave.hosts";
> fbsd55-2# /etc/rc.d/named restart
> Stopping named.
> etc/namedb changed
> user expected 0 found 53 modified
> Starting named.
> fbsd55-2#
>
> here are my 2 config files (first the master, then the slave)
>
> acl "dlpnets" {
> 192.168.125.64/26;
> 127.0.0.1;
> };
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> listen-on { 192.168.125.91; 127.0.0.1; };
> };
> view "internal" {
> match-clients { dlpnets; };
> recursion yes;
> zone "." {
> type hint;
> file "named.root";
> };
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "master/localhost.rev";
> };
> zone "dlptest.com" {
> type master;
> file "/etc/namedb/dlptest.com.i.hosts";
> allow-transfer { any; };
> also-notify { 192.168.125.91; };
> notify yes;
> };
> };
> view "external" {
> match-clients { any; };
> recursion no;
> zone "dlptest.com" {
> type master;
> file "/etc/namedb/dlptest.com.e.hosts";
> };
> };
>
>
>
> (begin the slave named.conf)
> acl "dlpnets" {
> 192.168.125.0/26;
> 192.168.125.91;
> 127.0.0.1;
> };
>
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> listen-on { 127.0.0.1; 192.168.125.93; };
> };
> view "internal" {
> match-clients { dlpnets; };
> recursion yes;
> zone "." {
> type hint;
> file "named.root";
> };
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "master/localhost.rev";
> };
> zone "dlptest.com" {
> type slave;
> masters { 192.168.125.91; };
> file "/etc/namedb/dlptest.com.i-slave.hosts";
> transfer-source 192.168.125.93;
> allow-transfer { any; };
> allow-update { 192.168.125.91; };
> };
> };
>
> ive been dinking around with this for a few hours now, and im about to pull
> what little hair i have left out. can someone shed light on this for me
> please? any help at all would be much appreciated!
>
> cheers,
> jonathan
>
>
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list