From owner-freebsd-questions@FreeBSD.ORG  Sat Nov 29 07:40:30 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 75ECB16A4CE; Sat, 29 Nov 2003 07:40:30 -0800 (PST)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E762043FA3; Sat, 29 Nov 2003 07:40:27 -0800 (PST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	hATFdo8c001680
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 29 Nov 2003 15:40:20 GMT
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id hATFdo4b001679;
	Sat, 29 Nov 2003 15:39:50 GMT	(envelope-from matthew)
Date: Sat, 29 Nov 2003 15:39:50 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: "Axel S. Gruner" <grunix@bsdforen.de>
Message-ID: <20031129153950.GA1559@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	"Axel S. Gruner" <grunix@bsdforen.de>, freebsd-questions@freebsd.org,
	freebsd-current@freebsd.org
References: <20031129152348.5dc04330.grunix@bsdforen.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND"
Content-Disposition: inline
In-Reply-To: <20031129152348.5dc04330.grunix@bsdforen.de>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.60
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-current@freebsd.org
cc: freebsd-questions@freebsd.org
Subject: Re: named (bind) in jail does not start
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2003 15:40:30 -0000


--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 29, 2003 at 03:23:48PM +0100, Axel S. Gruner wrote:
>=20
> Hi.
>=20
> I have configured named in jail (FreeBSD 5.1-RELEASE-p10).
> If i want to start named in the jail
>=20
> /usr/sbin/named
>=20
> i get this error message:
>  =20
> opensocket_f: bind([0.0.0.0].53): Address already in use
>=20
> Ok, Port 53 is not in use in the jail nor the hostsystem.
> I think the problem is 0.0.0.0, and i have to bind named on the IP of
> the jail.=20
>=20
> I tested same named configuration on the hostsystem, i thought about
> some misconfigration, but on the hostsystem named starts perfectly.
>=20
> I also tried to start named with -g and -u in the jail, same error.
>=20
> So, my short question is, how can i run named in the jail?
> Any ideas?

Yes.  The problem is that named is attempting to bind(2) to
INADDR_ANY.  In a jail, that includes the loopback address.  Problem
is, jails don't get their own loopback addresses -- there's just the
one loopback shared between the host system and all jails.  Which
effectively means that jailed processes can't bind to the loopback.

The answer is to configure named to only bind to the jail IP number --
see http://www.isc.org/products/BIND/docs/config/ (for bind8) or
http://www.nominum.com/content/documents/bind9arm.pdf (for bind9)
[available in HTML as
file:///usr/local/share/doc/bind9/arm/Bv9ARM.html if you've installed
the bind9 port.]

In bind9 you need to add something like the following to named.conf --
bind8 will be similar:

    options {

        [...]

        listen-on {
            192.168.1.1;
        };
        query-source address 192.168.1.1 port 53;
        transfer-source      192.168.1.1 port 53;
        notify-source        192.168.1.1 port 53;
    };

There are equivalent IPv6 statements if you're an IPv6 user.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/yL3GdtESqEQa7a0RAmUTAJ9ltU2H8pv+bufSlumijRZOHEEpMQCfT4ye
3TYhGz5FxCvXeu6xOtfCfWI=
=mEq0
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--