A couple of trivial BIND (dynamic update) questions
Matthew Seaman
matthew at FreeBSD.org
Sun Oct 12 08:56:58 UTC 2014
On 12/10/2014 02:05, Ronald F. Guilmette wrote:
> Firstly, various online sources, and the nsupdate man page itself
> say that the name server should create a file called:
>
> /var/run/named/session.key
>
> when the server is started up with at least one "update-policy local;"
> clause within one of the zone {} clauses within the named.conf file.
> On my FreeBSD system howver, this file was instead created over here:
>
> /var/named/var/run/named/session.key
>
> So, um, how come? The default location wasn't good enough?
You're running chrooted to /var/named. All paths will have /var/named
tacked onto the front.
> The more troublesome problem however is that at first, my dynamic
> updates were failing with SERVFAIL errors, and I couldn't figure
> out why until I looked at the tail of /var/log/messages. Apparently,
> BIND wants to write a ".jnl" (journal?) file in the same directory as
> the one that contains the actual zone file for the zone being dynamically
> updated. On FreeBSD, and for my master zones, that would be the
> directory /var/named/etc/namedb/master. Unfortunately, that directory
> is owned by root/wheel (with permissions set to 0755) which rendered
> it unwritable by named, which is apparently run under the user ID
> "bind" (and, I am guessing, with the GID set to the "bind" group).
>
> As soon as I changed the permissions on /var/named/etc/namedb/master
> to 0777, sure enough my dynamic updates started to work. But of
> course, I _do not_ want to leave it like that. I just set it that
> way for a quicky temporary test.
>
> So, um, what is the Right Solution here? Do I need to re-jigger
> the permissions on /var/named/etc/namedb/master to 0775 and then
> add user-ID "bind" to the wheel group in /etc/groups?
/var/named/etc/namedb/master is for zones where the data is managed by
means other than dynamic update.
If you're using dynamic update, then create a new directory
/ver/named/etc/namedb/dynamic and make it mode 755 but owned by the bind
UID and GID (similar to the slave directory). Use that for storing the
data for all your dynamic update zones.
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20141012/f99c2acc/attachment.sig>
More information about the freebsd-net
mailing list