Dynamic DNS and failed journal

Paul Howarth paul at city-fan.org
Mon Jul 31 11:54:49 UTC 2006 

Tim wrote:
> Tim:
>>> It (updating master records) certainly works in FC4, though I've set
>>> SELinux options to allow named to overwrite master zone files.
> 
> Paul Howarth:
>> It can't create new files such as journal files in 
>> /var/named/chroot/var/named though, as that's only writeable by root.
> 
> A bit of an oops with my prior post.  I looked at the wrong server (one
> of the slaves).  This is my master server (on FC4, mind you):
> 
> ll /var/named/chroot/var/named/ -d
> drwxr-x---  6 named named 4096 Jul 31 19:14 /var/named/chroot/var/named/
> 
> My master DNS server can write its master records, and journal files, as
> directed to by the DHCP server.

You must have changed the ownership/permissions then. The 
bind-chroot-9.3.1-20.FC4 package has:

drwxr-x---    2 root    named               0 Mar 31 01:01 /var/named/chroot
drwxr-x---    2 root    named               0 Mar 31 01:01 
/var/named/chroot/dev
drwxr-x---    2 root    named               0 Mar 31 01:01 
/var/named/chroot/etc
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var
drwxr-x---    2 root    named               0 Aug 25  2004 
/var/named/chroot/var/named
drwxrwx---    2 named   named               0 Aug 25  2004 
/var/named/chroot/var/named/data
drwxrwx---    2 named   named               0 Jul 27  2004 
/var/named/chroot/var/named/slaves
drwxrwx---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var/run
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/run/named
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/tmp

So /var/named/chroot/var/named is owned by root, not named. Mind you, 
it's writeable by group named. This is not the case in 
bind-chroot-9.3.2-20.FC5, which has:

drwxr-x---    2 root    named               0 Apr 19 15:12 /var/named/chroot
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/dev
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/etc
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/var/named
drwxrwx---    2 named   named               0 Aug 25  2004 
/var/named/chroot/var/named/data
drwxrwx---    2 named   named               0 Jul 27  2004 
/var/named/chroot/var/named/slaves
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var/run
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/run/named
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/tmp

Which has /var/named/chroot/var/named not writeable by group named.

>> There's also SELinux to consider - see:
>> http://www.isc.org/index.pl?/sw/bind/FAQ.php (search for "journal" on 
>> that page)
> 
> Mine's been sitting on permissive for a long time, and is allowed to
> write to master files.  I should switch back to enforcing and retest.
> 
>> I agree that using the "slaves" directory for this seems wrong; the 
>> "data" directory would be better, and should also work OK.
> 
> Not sure that I've come across an explanation for what the data
> directory is there for.

I'd wager it's there especially for DDNS users :-)

Paul.

More information about the fedora-list mailing list