Re: Bind Zone Transfer Problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles Curley wrote:
That's one solution I found for someone having the same problem and
it makes sense, as right now your secondary is trying to write the
localdomain file to /var/named, which it won't have permission to
write to by default.

Well, it *should*. The files there are root:named. But that explains
it, doh. The files have permissions of -rw-r-----, so all I needed
to do was change that.

The files have those permissions, but the directory itself isn't
writable by named.

Is this a bug in bind, or rather in the bind RPM package? I'm
running this in the chroot jail provided by the bind-chroot package.

Neither, AFAICT. It's by design. Slaves are meant to go in the
slaves subdir, with is writable by named. This is for security. It
limits the amount of damage someone can do with a bind exploit by
limiting the permissions the named user/group has. (Not that bind has
ever had remote exploits. ;)

This leaves one minor mystery:

Jul 3 22:07:09 dragon named[15783]: running
Jul 3 22:07:09 dragon named[15783]: zone localdomain/IN: Transfer started.
Jul 3 22:07:09 dragon named[15783]: transfer of 'localdomain/IN' from 192.168.1.3#53: connected using 192.168.1.4#57114
Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: transferred serial 2006070301
Jul 3 22:07:10 dragon named[15783]: transfer of 'localdomain/IN' from 192.168.1.3#53: end of transfer
Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: sending notifies (serial 2006070301)
Jul 3 22:07:10 dragon named[15783]: client 192.168.1.4#32921: received notify for zone 'localdomain'
Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: refused notify from non-master: 192.168.1.4#32921

Well, of course it's refusing a notification from itself. I'm probably
leaving out an option to tell it not to notify anyone of the
change. Well, I'll track that one down later.

I think you'll want to fiddle with the settings for notify and/or
also-notify[1]:

notify

If yes (the default), DNS NOTIFY messages are sent when a zone
the server is authoritative for changes, see the section
called "Notify". The messages are sent to the servers listed
in the zone's NS records (except the master server identified
in the SOA MNAME field), and to any servers listed in the
also-notify option.

If explicit, notifies are sent only to servers explicitly
listed using also-notify. If no, no notifies are sent.

The notify option may also be specified in the zone statement,
in which case it overrides the options notify statement. It
would only be necessary to turn off this option if it caused
slaves to crash.

It seems to me that if you set notify to no in the zone config for
localdomain on the slave, that would prevent it from trying to notify
itself. But I'm going on reading the manual, not on having done this
within a reasonable period of time in the past.

Relying on government to protect your privacy is like asking a peeping
tom to install your window blinds.
-- John Barlow, co-founder of EFF


Good one. From whom do they think I want to protect my privacy,
anyway.

Yourself? Isn't that who the government is always protecting you
from?

[1] http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#boolean_options

- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
I have to decide between two equally frightening options. If I wanted
to do that, I'd vote.
-- Duckman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSp+LsmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1r4+gCglCHE1QtFDzq/sR1wZRrkgs3f19sAoIRgeRgC
vVxyqlmqQc7Vf+BC8xgC
=/CPI
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Bind Zone Transfer Problem
    ... localdomain file to /var/named, which it won't have permission to ... The files have those permissions, ... slaves subdir, ... I think you'll want to fiddle with the settings for notify and/or ...
    (Fedora)
  • Re: Update just quits with no errors (continued)
    ... to download in background and notify me when they're ready. ... >> throttled and happened to be too busy to handle the download request. ... >> "Servers are busy, download will continue in the background and you ...
    (microsoft.public.windowsupdate)
  • Re: WSUS Server Approval
    ... client PCs, "auto download and schedule." ... I agree that I want to control when servers update. ... I'm not sure if "notify" switches you to the blue check. ... the server has updates ready to install. ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS and load balancing
    ... On each DNS server there is a setting for it to notify the ... DNS servers that the IP has changed immediately to others servers with out ... doing a whole new zone transfer or wait on A.D. replications? ...
    (microsoft.public.windows.server.dns)
  • Re: Is there no one who can answer this?
    ... > I have two DNS servers running on Win2000 on DC's. ... Seocondary server will use the refresh, retry and expire in the SOA to ... option set will notify all DNS servers on the Name server tab. ...
    (microsoft.public.win2000.dns)