Dynamic DNS and failed journal
Brian Chadwick
brianchad at westnet.com.au
Tue Aug 1 09:26:55 UTC 2006
Tim wrote:
> On Tue, 2006-08-01 at 17:35 +1000, Brian Chadwick wrote:
>
>> Yes I did a recursive chmod.
>>
>> from /var i did chmod -R named.named var
>>
>> i cant give you a directory listing now, i have reset the permissions to
>> original
>>
>
> Okay, bare in mind the things mentioned elsewhere in the thread about
> trying another sub-directory inside var/named for your dynamic records.
> But what you've got now is probably important. The "defaults" sometimes
> end up being different on different boxes. Perhaps due to whether users
> just install BIND itself, or the local caching package?
>
ok .... /var/named/chroot/var/named is owned by root.named (default FC5)
.... i changeed (recursively) to named.named .... same message .jnl cant
be created.
>
>> the output from messages after a named and dhcpd restart and an
>> immeadiate lease request and ddns update is below.
>>
>> Aug 1 17:28:51 server named[23130]: zone 'bac.org.au' allows updates by IP address, which is insecure
>> Aug 1 17:28:51 server named[23130]: zone '10.168.192.in-addr.arpa' allows updates by IP address, which is insecure
>>
>
> As I've commented on below, I found allowing updates by IP address
> hasn't worked for some time. I don't know if it works again in FC5.
>
changed control clause to be updated by localhost and server (my server
name) .... same message again
>
>> Aug 1 17:29:06 server dhcpd: No hostname for 192.168.10.190
>> Aug 1 17:29:06 server dhcpd: DHCPDISCOVER from 00:0c:29:b2:ac:3e (box) via eth1
>> Aug 1 17:29:07 server dhcpd: DHCPOFFER on 192.168.10.190 to 00:0c:29:b2:ac:3e via eth1
>> Aug 1 17:29:07 server dhcpd: No hostname for 192.168.10.190
>> Aug 1 17:29:07 server dhcpd: DHCPDISCOVER from 00:0c:29:b2:ac:3e via eth1
>> Aug 1 17:29:07 server dhcpd: DHCPOFFER on 192.168.10.190 to 00:0c:29:b2:ac:3e (box) via eth1
>> Aug 1 17:29:07 server named[23130]: client 192.168.10.254#32843: updating zone 'bac.org.au/IN': adding an RR at 'box.bac.org.au' A
>> Aug 1 17:29:07 server named[23130]: client 192.168.10.254#32843: updating zone 'bac.org.au/IN': adding an RR at 'box.bac.org.au' TXT
>> Aug 1 17:29:07 server named[23130]: journal file /var/named/bac.org.au.hosts.jnl does not exist, creating it
>> Aug 1 17:29:07 server named[23130]: /var/named/bac.org.au.hosts.jnl: create: permission denied
>> Aug 1 17:29:07 server named[23130]: client 192.168.10.254#32843: updating zone 'bac.org.au/IN': error: journal open failed: unexpected error
>> Aug 1 17:29:07 server dhcpd: Unable to add forward map from box.bac.org.au to 192.168.10.190: timed out
>> Aug 1 17:29:07 server dhcpd: No hostname for 192.168.10.190
>> Aug 1 17:29:07 server dhcpd: DHCPREQUEST for 192.168.10.190 (192.168.10.254) from 00:0c:29:b2:ac:3e (box) via eth1
>> Aug 1 17:29:07 server dhcpd: DHCPACK on 192.168.10.190 to 00:0c:29:b2:ac:3e (box) via eth1
>>
>> As you can see ... everything seems to work ok except being able to
>> write the jnl file.
>>
>
> Not sure if the "timed out" error is the same thing, or related. I've
> gone through the same myself, but resolved it too long ago. Not sure if
> the denials are file writing denials, or configuration of name server
> allowances.
>
the timeout error is a mystery to me ... its a DSL linux box asking for
a new lease (stopping NIC and restarting NIC)
> If the chrooted /var/named... (/var/named/chroot/var/named...) it's
> trying to access now doesn't have the right permissions, it won't be
> able to write those files. What are the current permissions?
>
as above .... Fedora guys set /var/named/chroot/var/named owned by root
... changed it to named ownership .. no joy..same message re .jnl
>
>> named.conf -
>> //
>> // named.conf for Red Hat caching-nameserver
>> //
>>
>> acl "bac-net" { 192.168.10.0/24; 127.0.0.1; };
>>
>> options {
>> directory "/var/named/";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> listen-on { "bac-net"; };
>> allow-query { "bac-net"; };
>>
>
> Hmm, never seen the listen-on and allow-query statements refer to the
> ACL before. Not sure if it's allowed, but my man file says it's port
> and IP data inside listen-on. It does say that the allow-query is an
> address match element, though.
>
the listen-on clause i use is straight from the DNS macro howto on ISC
website ... i thought it was odd too....but in retrospect, it means to
listen on 127.0.0.1 and any other NICS using 192.168.10.0/24 netowrk
that may be in the box ... naturally there is only the one NIC on that
network...it seems to work. ... i didnt change this though ... the point
is ... named is listening and responsding.
I would have thought allow-wuery would have been ok with an acl ... its
allowing every NIC on that acl.
>
>
>> //
>> // bac zone
>> //
>>
>> zone "bac.org.au" {
>> type master;
>> file "/var/named/bac.org.au.hosts";
>> allow-update {
>> 127.0.0.1;
>> 192.168.10.254;
>> key rndckey;
>> };
>> };
>>
>
> I found that using addresses in the allow-update statement hadn't worked
> for me since about Red Hat 8.0 Linux. I had to use an ACL name in
> there, and that's all I've used. Seeing as you've set up one, acl
> "bac-net", it seems rather redundant to then not use it and go about
> manually specifying the addresses in all the places you could have just
> put "bac-net", if you're also including addresses.
>
done .... removed IP addreses ... as per your named.conf further on
....... no change in message
> Not that it should make any difference, you can omit that full file
> path. You've set it, above, with the directory statement.
>
> For subdirectories, you can just prepend the subdirectory name.
>
> i.e. slaves/example.com.zone
>
> Mine would have been done just as:
>
> zone "bac.org.au" {
> type master;
> file "bac.org.au.hosts";
> allow-update { key rndckey;};
> };
>
>
>
agreed ... wasteful ... changed it but didnt expect any joy .... sure
enough ... no joy
>> dhcpd.conf --
>>
>> include "/etc/rndc.key";
>>
>
> Are you using the same /etc/rndc.key between DNS and DHCP servers?
> It'll need to be. That can be a /gotcha/ in chrooted servers.
>
yes same key file
>
>> subnet 192.168.10.0 netmask 255.255.255.0 {
>> ddns-domainname "bac.org.au";
>> ddns-rev-domainname "in-addr.arpa.";
>> authoritative;
>> ddns-updates on;
>>
>
> Not sure if the above two statements (authoritative & ddns-updates on)
> had to be done outside of the subnet clauses.
>
a subnet specific clause ? ... one may have several subnets and only
want ddns-updates from slected subnets ... i think it can be used
globally or per subnet ... once again this is from the macro howto on ISC.
>
>> host admin {
>> hardware ethernet 00:0D:61:B4:AA:85;
>> fixed-address 192.168.10.1;
>> }
>>
>
> Fixed addresses won't get updated in the DNS records, you'd have to set
> them in them manually.
>
>
I dont expect these to update .... i am testing with dhcpd assigned IP's
from the pool of the subnet. These addresses are already in the zone files.
so there u go .... i am not a linux expert, but also not totally inept
... i have a good working knowledge in general and I did think i could
try and get this going ... but the failure to create .jnl files persist ...
i am at a loss ... i cant think of anything else .... the salient point
seems to be that named cant write the .jnl file ... yet the directory
(now that I have changed it) belongs to it ... and still it wont write ...
Just in case I am going to check out the SElinux stuff ... i am fairly
certain that SElinux is disabled, but I need to make absolutely certain
... there seems to be few other clues ... stay tuned
Brian
More information about the fedora-list
mailing list