Date: Sun, 12 Oct 2014 09:56:36 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: A couple of trivial BIND (dynamic update) questions Message-ID: <543A4244.1000401@FreeBSD.org> In-Reply-To: <22652.1413075907@server1.tristatelogic.com> References: <22652.1413075907@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/10/2014 02:05, Ronald F. Guilmette wrote: > Firstly, various online sources, and the nsupdate man page itself > say that the name server should create a file called: >=20 > /var/run/named/session.key >=20 > when the server is started up with at least one "update-policy local;" > clause within one of the zone {} clauses within the named.conf file. > On my FreeBSD system howver, this file was instead created over here: >=20 > /var/named/var/run/named/session.key >=20 > So, um, how come? The default location wasn't good enough? You're running chrooted to /var/named. All paths will have /var/named tacked onto the front. > The more troublesome problem however is that at first, my dynamic > updates were failing with SERVFAIL errors, and I couldn't figure > out why until I looked at the tail of /var/log/messages. Apparently, > BIND wants to write a ".jnl" (journal?) file in the same directory as > the one that contains the actual zone file for the zone being dynamical= ly > updated. On FreeBSD, and for my master zones, that would be the > directory /var/named/etc/namedb/master. Unfortunately, that directory > is owned by root/wheel (with permissions set to 0755) which rendered > it unwritable by named, which is apparently run under the user ID > "bind" (and, I am guessing, with the GID set to the "bind" group). >=20 > As soon as I changed the permissions on /var/named/etc/namedb/master > to 0777, sure enough my dynamic updates started to work. But of > course, I _do not_ want to leave it like that. I just set it that > way for a quicky temporary test. >=20 > So, um, what is the Right Solution here? Do I need to re-jigger > the permissions on /var/named/etc/namedb/master to 0775 and then > add user-ID "bind" to the wheel group in /etc/groups? /var/named/etc/namedb/master is for zones where the data is managed by means other than dynamic update. If you're using dynamic update, then create a new directory /ver/named/etc/namedb/dynamic and make it mode 755 but owned by the bind UID and GID (similar to the slave directory). Use that for storing the data for all your dynamic update zones. Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJUOkJMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATiWAP/RnStEasE7av8WZu+ZnSqN2a zSngv3h8df/vA6lUH25u7vNQSU1fxOPdJk0H3OzJ/SWjfP9rNa26fCBDI28xppfr Ele4LZZKZsnxugDuhx0elzv/NC+nypxx1oJWUBlLuWwPdet/exLsp0qrQ5980h1h h4yyDkR4wnO2obuHBBUR7VXSyusIt49CKCIXf2tdRGY6HFnXwz/h7kLGD6JJEtTP FSdg3vLALqKUjRSsxjJMBqrzADHfmLMy+GXFiv+SX6mE0eHiHB7fw+mpW1Uhvpka oarf8R5ARMThJptcC/rhbHVLThvLC/AG/8V9Mvu6qhqZ8pc7WJkHvzZkkcm1nSkr BZdEbJZ7fk7q9WwpaQELjf3zpLAc3L2xpZpJ4GdOYczJLnWjN/sn9odCrjPaLDDc 3Exqge22kloyRQgnChiXbnfrP922Ni2VDXlP0NfYOpfChaFUCev5N0P2K0zX8v5L x2jb5yhqAkmW3kzzW9xkl2aUA8PQmWcGoi6Otuz3Zsy/RWfU5KsfChfq1qHZwZig iyHboQ4AmPp9M6OIbYKEn4tLv3MRBznH5Hu4dxFd+TdCCrh6gxMYLqnYGI7yFnDz Noln9JLLQ86y/4l2kuVngstahUE3guZYtcZ8dAvPunPVOvIhiYylUeTV/9gEVlMS QLclncqC822KrP2AhQSF =pHpL -----END PGP SIGNATURE----- --2DdWvssD6r1pTeEiQ72Ce8wfGtL1Fhg1u--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?543A4244.1000401>