re-bind named to all interfaces
Mihai Moldovan
ionic at ionic.de
Thu Apr 12 15:44:34 UTC 2012
* On 12.04.2012 04:44 PM, Todd Snyder wrote:
> You can set interface-interval to a low number to make BIND scan for new interfaces frequently:
Interesting option! Weird thing is, the documentation as per
/usr/share/doc/bind-9.9.0/html/Bv9ARM.ch06.html says:
The server will scan the network interface list every interface-interval
minutes. The default is 60 minutes. The maximum value is 28 days (40320
minutes). If set to 0, interface scanning will only occur when the configuration
file is loaded. After the scan, the server will begin listening for queries on
any newly discovered interfaces (provided they are allowed by the listen-on
configuration), and will stop listening on interfaces that have gone away.
So the default value is 60 minutes. In theory, I should see named binding to
ppp0 after about 60 minutes after the ppp0 interface gets up again. This never
happened to me.
I set the interval to zero and forced a reconfig/reload via rndc.
I feel so stupid for not grepping the log file for ppp0 before, anyway, here's
the culprit:
12-Apr-2012 17:03:38.661 general: info: received control channel command 'reconfig'
12-Apr-2012 17:03:38.661 general: info: loading configuration from
'/etc/bind/named.conf'
12-Apr-2012 17:03:38.662 general: info: reading built-in trusted keys from file
'/etc/bind/bind.keys'
12-Apr-2012 17:03:38.662 general: info: using default UDP/IPv4 port range:
[1024, 65535]
12-Apr-2012 17:03:38.662 general: info: using default UDP/IPv6 port range:
[1024, 65535]
12-Apr-2012 17:03:38.664 network: info: listening on IPv4 interface ppp0,
85.183.67.131#53
12-Apr-2012 17:03:38.664 network: error: could not listen on UDP socket:
permission denied
12-Apr-2012 17:03:38.664 network: error: creating IPv4 interface ppp0 failed;
interface ignored
12-Apr-2012 17:03:38.679 general: info: sizing zone task pool based on 6 zones
12-Apr-2012 17:03:38.680 database: debug 1: decrement_reference: delete from
rbt: 0x7f667e609e28 .
12-Apr-2012 17:03:38.680 general: debug 1: managed-keys-zone: synchronizing
trusted keys
12-Apr-2012 17:03:38.681 general: debug 1: now using logging configuration from
config file
12-Apr-2012 17:03:38.682 network: info: additionally listening on IPv4 interface
ppp0, 85.183.67.131#53
12-Apr-2012 17:03:38.682 network: error: could not listen on UDP socket:
permission denied
12-Apr-2012 17:03:38.682 network: error: creating IPv4 interface ppp0 failed;
interface ignored
12-Apr-2012 17:03:38.682 general: debug 1: load_configuration: success
12-Apr-2012 17:03:38.682 general: info: reloading configuration succeeded
Hmm, permission denied while binding to ppp0? Maybe that's because my named is
running as the non-privileged system user "named" and binding to the privileged
port 53? Makes sense... but... hm. I guess in this case there's no other way but
running named as root?
I've tried using setcap to give /usr/sbin/named privileged port binding
capabilities:
root at valery~# getcap /usr/sbin/named
/usr/sbin/named = cap_net_bind_service+ep
Restarted bind9, killed -1 pppd and watched the permission denied error flying
by again.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4493 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120412/e63b36b5/attachment.bin>
More information about the bind-users
mailing list