Bind Issues After FC2

Cowles, Steve steve at stevecowles.com
Mon Jun 21 00:16:53 UTC 2004


See my inserts below...

edwarner99 at yahoo.com wrote:
> Hi,
> 
> I decided to start a new thread as now, I'm getting
> other errors. Everything worked under FC1.
> I had to change my directory to "/" from "/var/named"
> It just would not work, gave me permission errors.

Changing your named.conf global option "directory" to / is not a very good
idea. Named expects files to be relative to the path specified in the
directory option. By default, the redhat supplied named.conf references
/var/named. If your having permission errors using this directory, then FIX
THEM!!!! Here is a hint from my system...

[root at excelsior etc]# cd /var
[root at excelsior var]# ls -ld named
drwxr-x---  5 root named 1024 Jun 10 22:07 named

[root at excelsior var]# cd named
[root at excelsior named]# ls -l
total 8
drwxr-xr-x  5 root  root  1024 Oct 18  2003 chroot
-rw-r--r--  1 named named  195 Feb 15 07:06 localhost.zone
-rw-r--r--  1 named named 2518 Feb 15 07:06 named.ca
-rw-r--r--  1 named named  433 Feb 15 07:06 named.local
drwxrwx---  2 named named 1024 Mar 26 05:28 slaves

> 
> Now I'm getting "could not configure roots hints from
> "named.ca" file not found.

That's probably because you specified / in your directory statement, so
named is looking for /named.ca, not /var/named/named.ca

> 
> 
> Below is my named.conf file.
> 
> // generated by named-bootconf.pl
> 
> controls {
> 	inet 127.0.0.1 allow { localhost; } keys { rndckey;
> };
> };
> 
> 
> // Define address range for the local domain.
> acl lan {
> 	192.168.100/24;
> 	127.0.0.1;

If you are going to specify a network address in CIDR notation, then specify
the network address as 192.168.100.0/24

Long pause... Reading: man named.conf

WOW! Your notation is actually understood by named. <groan>

> };
> 
> options {
> 	directory "/";

As stated above, using the root "/" for your directory statement is a bad
idea. Fix your permissions problem on directory /var/named. Then make sure
the zone files you are loading from named.conf exist in this directory.

> /*
>  If there is a firewall between you and nameservers
>  you want to talk to, you might need to uncomment the
>  query-source directive below.  Previous versions of
>  BIND always asked questions using port 53, but BIND
>  8.1 uses an unprivileged port by default.
> */
> 	// query-source address * port 53;
> 
> 	// Only allow queries and listen from the local domain.
> 	allow-query { lan; };
> 	allow-recursion { lan; };
> 	allow-transfer { lan; };
> 	listen-on {
> 		 127.0.0.0/24;
> 		 192.168.100.1;
> 	};

Personally, I would change the 127.0.0.0/24 to 127.0.0.1

> 
> 	// Use Bellsouth's DNS servers for finding external
> addresses.
> 	forward only;
> 	forwarders {
> 		xxx.xxx.xxx.xxx;
> 	};
> };
> 
> // Top Level domain name servers.
> zone "." IN {
> 	type hint;
> 	file "named.ca";
> };

You realize that you are loading the root hints zone, but specifying the use
of forwarders for all other tld's outside the zones you are loading? This
will work, but loading the root hints zone along with "allow_recursion"
allows your DNS server to lookup all other tld's on its own. Well, unless
you ISP is blocking outbound DNS requests to servers other than theirs.

> 
> // Localhost Zones
> zone "localhost" IN {
> 	type master;
> 	file "localhost.zone";
> 	allow-update { lan; };
> };

So why are you allowing updates to the above zone? Especially since you have
not specifed any DDNS parameters in named.conf.

> 
> // Provide a reverse lookup for the loopback address
> 127.0.0.1
> zone "0.0.127.in-addr.arpa" IN {
> 	type master;
> 	file "named.local";
> 	allow-update { lan; };
> };

Again, why are you allowing updates to the above zone? Especially since you
have not specifed any DDNS parameters in named.conf.

> 
> // Home network zone.
> zone "mylan.lan" IN {
> 	type master;
> 	file "named.mylan";
> 	notify no;
> 	allow-update { lan; };
> };

Specifying allow-update for the above zone makes since, but again, you have
not specified any DDNS parameters - so all update attempts from clients
listed in your ACL will fail.

> 
> // Reverse lookup for the local domain.
> zone "100.168.192.in-addr.arpa" {
> 	type master;
> 	file "named.mylan-rev";
> 	notify no;
> 	allow-update { lan; };
> };
> 
> 
> include "/etc/rndc.key";
> 

If I could suggest... 

1) Fix your permissions problems

2) Stop using named-bootconf.pl to create your named.conf file

3) Read the man pages for named.conf. i.e. man named.conf

Steve Cowles





More information about the fedora-list mailing list