ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
/dev/rob0
rob0 at gmx.co.uk
Tue Aug 4 12:14:38 UTC 2015
On Mon, Aug 03, 2015 at 10:36:25PM -0500,
Lawrence K. Chen, P.Eng. wrote:
> This unfortunately looks like the thread for me to jump on to....
>
> I missed installing the last two 9.9...-p# patches, first time I
> built everything and was pretty much ready to do it, and then
> forgot all about it due to health issues. More recent one...I had
I hope you're well now.
> got it built for Solaris x64 and was about to work on building it
> for Solaris SPARC when the most recent one appeared. This one
> carried a much strong get things patched (to me at first, then
> higher ups started jumping around...)
It's good that you have deployed the fix for CVE-2015-5477. Those
who are ignorant or foolish would say this shows the problems with
free software. But that's opposed to the truth: these security
reports are the strength of free software. Anyone can hack at it
looking for bugs. And then those bugs get fixed.
Who knows what bugs lurk inside black-box proprietary solutions?
Worse, who knows if they'd be fixed? Security is in openness,
standing up to the light of scrutiny.
> But, it turned out to be a huge mess to upgrade.
>
> The first time I ran into this error, were some really old mistakes
> where the admin had copy and pasted a bunch of similar zones...and
> missed adjusting some of the files. Since on the master side they
> all come from the same file....it probably didn't cause any
> noticeable problems for the slaves or clients.
>
> However, install upgrade on our master server...knocked it out, so
> I'm here looking to see what the proper fix for my situation is.
This seems to be a bug fix (not allowing named to share writeable
files) which has brought a lot of broken configurations out. Oops.
Basically, no two slave zones (even nominally the same zone, in a
different view) should EVER share the same file. Master zones can
get away with file sharing, but ONLY if named does not write to the
file (no allow-update, update-policy, nor auto-dnssec.)
> Looking for a valid easy fix here ;) Partly because coming soon
> they're going to demolish the DNS infrastructure that I got saddled
> with and feel like I done a pretty good job at re-engineering it to
> meet all the demands of it. But, I'm the last legacy unix systems
> administrator here....
Sad. There's nothing "legacy" about Unix, though. Sounds like the
salesmen are winning out over the technicians, in terms of getting
management to set policy.
> Anyways...the problem is because we had turned out existing master
> server into doing split/stealth (started out stealth...) DNS, while
> having it continue to serve as slave to delegated subdomains. So
> that those subdomains are propagated to our external facing slave
> servers.
>
> So that's where the problem comes in....the internal authoritative+
> nameservers having the master collect secondary zone data from
> them...on the Internal view. But, then having to send that
> information to nameservers that hit the external view of the
> master.
The way to select a different view on the master is to use TSIG keys.
https://kb.isc.org/article/AA-00295/
> So, until a few hours ago....it was include a file containing all
> the delegated (sub)domains into both views....causing both sides to
> be working off of the same file.
It would require some reworking of things, but you might be
interested in the new BIND 9.10 feature of "in-view" zone option.
This lets you literally include a zone from another view. See BIND 9
ARM chapter 6, "zone Statement Definition and Usage", for details.
> WHich seemed to work fine. As only one side is getting updates,
> the other side is just to feed our outside facing slaves. Well,
> this update wouldn't go for that.
>
> So, cloning the file and doing a global search and destroy....the
> external view is looking zone files in a directory that is emtpy,
> while the internal side continus as is.
>
> To have something for the external nameservers to transfer
> (hopefully), I'm doing a regular sync of the file 'sec' to 'ext'.
>
> Not totally sure that's working....but nothing filing up logs
> about it.
>
> So, is what I did something that'll hold...or is there an easy
> proper solution to this?
Slave zones should be transferred using DNS. In a stealth master
case, you need to populate also-notify lists, but perhaps in your
case you can share some of that configuration with global or view
level settings. (Better than having to set everything per zone.)
> To hold us/me over until they decide if its going to be
> BlueCat or Infoblox that replaces everything.
IIUC both of those are BIND under the hood. :)
> Sadly, I missed both presentations due to other issues....more sad
> because I found my "named.iner" shirt, which I was going to wear to
> the second presentation ;)
Haha, I have one of those also. Really cool. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list