New install, having bind issues

Matt Harris fedora at uberduck.net
Mon Mar 8 03:44:14 UTC 2004


> May the almighty Fred, god of computers, bless you and your keyboard!!!
> 
> Had to do about 5 minutes of looking up this whole chroot jail thingy,
> but once it clicked my dns came up no problem..  It explained a lot
> too..  Like why test entries that I put into the locahost.zone didn't
> come up, and why when I purposely put errors in named.conf that it
> didn't barf on me..  (It wasn't looking at those!! Genious!!  hehee)
> 
> Seriously, thanks for the heads up...
> 
> One follow-up question.  Now that I've jack around with my permissions
> on all of these, any suggestions on ownership/permission settings for
> the various files and directories under /var/named??

The only files that really matter are files that have your shared
secrets in them (named.conf and any include files you may
use...especially rndc.key).  Those shouldn't be world-readable.  Any
user can infer the contents of the zone files simply by performing
lookups on them, so it's okay if they're world-readable.  As long as joe
luser can't write to anything in that jail and can't read the .key files
(and any files with keys in them, say for dynamic updates), you should
be fine.

> Thanks Again!!!
> 
> > -----Original Message-----
> > From: fedora-list-admin at redhat.com 
> > [mailto:fedora-list-admin at redhat.com] On Behalf Of Matt Harris
> > Sent: Sunday, March 07, 2004 6:31 PM
> > To: fedora-list at redhat.com
> > Subject: Re: New install, having bind issues
> > 
> > 
> > By default, fedora runs named in a chroot jail.  
> > Consequently, all the config files and such are kept in 
> > /var/named/chroot/whatever.  If the copy of named.conf you 
> > are editing isn't in /var/named/chroot/etc, then named won't 
> > ever even see that you want it to serve that domain.  All of 
> > your zone files must be in /var/named/chroot/var/named.
> > 
> > I beat my head against that for quite some time too.  Hope this helps.
> > 
> > On Sun, 2004-03-07 at 19:08, Jeremy Lunsford wrote:
> > > I hope someone can help, I've been beating my head against this for 
> > > the last 24hours.
> > > 
> > > I just did a fresh install of Fedora.  The install seemed 
> > to go well, 
> > > so I started restoring all my files.  I checked the new named.conf 
> > > file and all the header stuff at the top matched up exactly with my 
> > > old one. (Which was from a RedHat 9 install, so same major 
> > version of 
> > > bind)  So I copied my named.conf file into /etc.  I then 
> > copied all my 
> > > zone files into /var/named.  (Not replacing the hint file)  Then I 
> > > started bind.. It will resolve other domains with no 
> > problem, but when 
> > > I query it about a domain that it is master for it gives me a
> > > 
> > >    ** server can't find thedames.com: SERVFAIL
> > > 
> > > In my log file all I get is a lame server error..
> > > 
> > >    Mar  7 20:56:24 bender named[22199]: lame server resolving 
> > > 'thedames.com' (in 'thedames.com'?): 209.75.97.4#53
> > > 
> > > So my server clearly doesn't think that it has info for 
> > those zones.  
> > > At first I thought this was a permissions issue.  However at this 
> > > point my named.conf file and all my zone files are 777 with 
> > an owner 
> > > of named. So I don't think that is an issue..  I don't get 
> > any errors 
> > > when restarting named.  It just happily says that its loading 
> > > named.conf and that everything is great.
> > > 
> > >    Mar  7 20:48:55 bender named[22199]: starting BIND 9.2.2-P3 -u 
> > > named -t /var/named/chroot
> > >    Mar  7 20:48:55 bender named[22199]: using 1 CPU
> > >    Mar  7 20:48:55 bender named[22199]: loading configuration from 
> > > '/etc/named.conf'
> > >    Mar  7 20:48:55 bender named[22199]: no IPv6 interfaces found
> > >    Mar  7 20:48:55 bender named[22199]: listening on IPv4 interface 
> > > lo, 127.0.0.1#53
> > >    Mar  7 20:48:55 bender named[22199]: listening on IPv4 interface 
> > > eth0, 209.75.97.2#53
> > >    Mar  7 20:48:55 bender named[22199]: command channel 
> > listening on 
> > > 127.0.0.1#953
> > >    Mar  7 20:48:55 bender named[22199]: running
> > >    Mar  7 17:48:55 bender named: named startup succeeded
> > > 
> > > 
> > > If I run named-checkconf on my named.conf file I get the following:
> > > 
> > >    [root at bender etc]# named-checkconf -t /etc/ named.conf
> > >    named.conf:4: change directory to '/var/named' failed: 
> > file not found
> > >    named.conf:4: parsing failed
> > > 
> > > I had my friend run that same command on his server thou, 
> > and he got 
> > > the same error.  I think I'm running the command wrong.
> > > 
> > > Here is my current named.conf file, and one of my zone files:
> > > 
> > > // generated by named-bootconf.pl
> > > 
> > > options {
> > >         directory "/var/named";
> > >         /*
> > >          * If there is a firewall between you and 
> > nameservers you want
> > >          * to talk to, you might need to uncomment the query-source
> > >          * directive below.  Previous versions of BIND always asked
> > >          * questions using port 53, but BIND 8.1 uses an 
> > unprivileged
> > >          * port by default.
> > >          */
> > >         // query-source address * port 53;
> > > };
> > > 
> > > //
> > > // a caching only nameserver config
> > > // 
> > > controls {
> > >         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> > > };
> > > zone "." IN {
> > >         type hint;
> > >         file "named.ca";
> > > };
> > > 
> > > zone "localhost" IN {
> > >         type master;
> > >         file "localhost.zone";
> > >         allow-update { none; };
> > > };
> > > 
> > > zone "0.0.127.in-addr.arpa" IN {
> > >         type master;
> > >         file "named.local";
> > >         allow-update { none; };
> > > };
> > > 
> > > include "/etc/rndc.key";
> > > 
> > > 
> > > zone "vmfaq.com"{
> > >         type master;
> > >         file "vmfaq.com";
> > > };
> > > 
> > > zone "ethiopianet.net"{
> > >         type master;
> > >         file "./ethiopianet.net";
> > > };
> > > 
> > > zone "thecryptorium.com"{
> > >         type master;
> > >         file "./thecryptorium.com";
> > > };
> > > 
> > > zone "monku.org"{
> > >         type master;
> > >         file "./monku.org";
> > > };
> > > 
> > > zone "thedames.com"{
> > >         type master;
> > >         file "thedames.com";
> > > };
> > > 
> > > zone "gravelymanor.com"{
> > >         type master;
> > >         file "./gravelymanor.com";
> > > };
> > > 
> > > 
> > > 
> > > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > > ; File vmfaq.com 
> > > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > > ; $ORIGIN vmfaq.com
> > > ; @ = vmfaq.com
> > > ;
> > > @ 86400      IN      SOA     ns1.vmfaq.com. dnsadmin.vmfaq.com. (
> > >  200403070      ; Serial number
> > >      10800      ; Refresh after 3 hours
> > >       3600      ; Retry after 1 hour
> > >     604800      ; Expire after 1 week
> > >      86400 )    ; Minimum TTL of 1 day
> > > 
> > >       86400                  IN NS   ns1.vmfaq.com.
> > >           86400              IN NS   ns1.thoene.net.
> > > 
> > > 
> > > vmfaq.com. 86400                IN A    209.75.97.2
> > >                 86400           IN MX 0 mx1.veriomail.com.
> > > www         86400            IN A    209.75.97.2
> > > bender 86400                    IN A    209.75.97.2
> > > ns1             86400           IN A    209.75.97.2
> > > fonts 86400                     IN A    209.75.97.2
> > > 
> > > 
> > > 
> > > I found one place that said that I needed to put a $TTL 1D 
> > at the top 
> > > of my zones files.  I've tried that, no luck..  Plus, the 
> > zone checker 
> > > utility says all my zones are ok.  Besides my zone files 
> > having their 
> > > permissions wide open, so does the actual named directory..
> > > 
> > > If anyone has some suggestions, I'd love to hear them.  
> > I've never had 
> > > this kind of problem with DNS before.  I've been doing it 
> > for quite a 
> > > while and the thing I love about bind is that it always just works. 
> > > (Except today.)
> > > 
> > > Thanks!!!!
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > -- 
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> > 
> 





More information about the users mailing list