Date: Sun, 12 Oct 2014 09:56:36 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: A couple of trivial BIND (dynamic update) questions Message-ID: <543A4244.1000401@FreeBSD.org> In-Reply-To: <22652.1413075907@server1.tristatelogic.com> References: <22652.1413075907@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/10/2014 02:05, Ronald F. Guilmette wrote:
> Firstly, various online sources, and the nsupdate man page itself
> say that the name server should create a file called:
>=20
> /var/run/named/session.key
>=20
> when the server is started up with at least one "update-policy local;"
> clause within one of the zone {} clauses within the named.conf file.
> On my FreeBSD system howver, this file was instead created over here:
>=20
> /var/named/var/run/named/session.key
>=20
> So, um, how come? The default location wasn't good enough?
You're running chrooted to /var/named. All paths will have /var/named
tacked onto the front.
> The more troublesome problem however is that at first, my dynamic
> updates were failing with SERVFAIL errors, and I couldn't figure
> out why until I looked at the tail of /var/log/messages. Apparently,
> BIND wants to write a ".jnl" (journal?) file in the same directory as
> the one that contains the actual zone file for the zone being dynamical=
ly
> updated. On FreeBSD, and for my master zones, that would be the
> directory /var/named/etc/namedb/master. Unfortunately, that directory
> is owned by root/wheel (with permissions set to 0755) which rendered
> it unwritable by named, which is apparently run under the user ID
> "bind" (and, I am guessing, with the GID set to the "bind" group).
>=20
> As soon as I changed the permissions on /var/named/etc/namedb/master
> to 0777, sure enough my dynamic updates started to work. But of
> course, I _do not_ want to leave it like that. I just set it that
> way for a quicky temporary test.
>=20
> So, um, what is the Right Solution here? Do I need to re-jigger
> the permissions on /var/named/etc/namedb/master to 0775 and then
> add user-ID "bind" to the wheel group in /etc/groups?
/var/named/etc/namedb/master is for zones where the data is managed by
means other than dynamic update.
If you're using dynamic update, then create a new directory
/ver/named/etc/namedb/dynamic and make it mode 755 but owned by the bind
UID and GID (similar to the slave directory). Use that for storing the
data for all your dynamic update zones.
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
--2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
iQJ8BAEBCgBmBQJUOkJMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATiWAP/RnStEasE7av8WZu+ZnSqN2a
zSngv3h8df/vA6lUH25u7vNQSU1fxOPdJk0H3OzJ/SWjfP9rNa26fCBDI28xppfr
Ele4LZZKZsnxugDuhx0elzv/NC+nypxx1oJWUBlLuWwPdet/exLsp0qrQ5980h1h
h4yyDkR4wnO2obuHBBUR7VXSyusIt49CKCIXf2tdRGY6HFnXwz/h7kLGD6JJEtTP
FSdg3vLALqKUjRSsxjJMBqrzADHfmLMy+GXFiv+SX6mE0eHiHB7fw+mpW1Uhvpka
oarf8R5ARMThJptcC/rhbHVLThvLC/AG/8V9Mvu6qhqZ8pc7WJkHvzZkkcm1nSkr
BZdEbJZ7fk7q9WwpaQELjf3zpLAc3L2xpZpJ4GdOYczJLnWjN/sn9odCrjPaLDDc
3Exqge22kloyRQgnChiXbnfrP922Ni2VDXlP0NfYOpfChaFUCev5N0P2K0zX8v5L
x2jb5yhqAkmW3kzzW9xkl2aUA8PQmWcGoi6Otuz3Zsy/RWfU5KsfChfq1qHZwZig
iyHboQ4AmPp9M6OIbYKEn4tLv3MRBznH5Hu4dxFd+TdCCrh6gxMYLqnYGI7yFnDz
Noln9JLLQ86y/4l2kuVngstahUE3guZYtcZ8dAvPunPVOvIhiYylUeTV/9gEVlMS
QLclncqC822KrP2AhQSF
=pHpL
-----END PGP SIGNATURE-----
--2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?543A4244.1000401>