Error staring named, permissions denied on named.ca

Mark Andrews marka at isc.org
Thu Dec 9 22:48:22 UTC 2021 

Almost certainly SELinux or AppArmor on the new platform getting in the way.

> On 10 Dec 2021, at 06:08, Bruce Johnson via bind-users <bind-users at lists.isc.org> wrote:
> 
> I'm setting up a new secondary for our domain with the intent to shut down an existing one (which is running on a very old OS and bind version)
> 
> Running Rocky Linux (replacement for CentOS 8.5) using the isc bind-esv package here https://copr.fedorainfracloud.org/coprs/isc/bind-esv/ instead of the built in (and old) version in the standard repo.
> 
> I’ve copied over the named.conf file from the working secondary and made appropriate changes; it passes named-checkconf
> 
> Starting the service though I get the following error:
> 
> ● isc-bind-named.service
>   Loaded: loaded (/usr/lib/systemd/system/isc-bind-named.service; enabled; vendor preset: disabled)
>   Active: failed (Result: exit-code) since Thu 2021-12-09 13:16:09 EST; 24min ago
>  Process: 3732 ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE)
> 
> Dec 09 13:16:09 example.com named[3733]: listening on IPv4 interface lo, 127.0.0.1#53
> Dec 09 13:16:09 example.com named[3733]: listening on IPv4 interface ens192,123.456.789.123#53
> Dec 09 13:16:09 example.com named[3733]: generating session key for dynamic DNS
> Dec 09 13:16:09 example.com named[3733]: sizing zone task pool based on 35 zones
> Dec 09 13:16:09 example.com named[3733]: could not configure root hints from 'named.ca': permission denied
> Dec 09 13:16:09 example.com named[3733]: loading configuration: permission denied
> Dec 09 13:16:09 example.com named[3733]: exiting (due to fatal error)
> Dec 09 13:16:09 example.com systemd[1]: isc-bind-named.service: Control process exited, code=exited status=1
> Dec 09 13:16:09 example.com systemd[1]: isc-bind-named.service: Failed with result 'exit-code'.
> Dec 09 13:16:09 example.com systemd[1]: Failed to start isc-bind-named.service.
> 
> Permissions for named.ca are the same as on our other working servers:
> 
> -rw-rw-r--. 1 root named 3289 Dec  9 13:13 /var/named/named.ca
> 
> This is the entry for that file in named.conf:
> 
> zone "." IN {
> 	type hint;
> 	file "named.ca";
> };
> 
> does it need the full path? On the working secondary it’s entered the same way in named.conf, but that’s running and ancient version BIND 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1
> 
> (and why I’m building a new one!)
> 
> 
> -- 
> Bruce Johnson
> University of Arizona
> College of Pharmacy
> Information Technology Group
> 
> Institutions do not have opinions, merely customs
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list