Win2K3-AD Master - Bind Slave transfers fail

William B. Cattell wbcattell1.nospam at yahoo.com
Wed Jul 5 22:47:12 UTC 2006 

On Wed, 05 Jul 2006 10:24:36 -0500, Barry Finkel wrote:

>  "William B. Cattell" <wbcattell1.nospam at yahoo.com> wrote:
> 
>>I've been reading this newsgroup, reading DNS/BIND from O'Reilly and MS
>>Technet but I'm missing something...  and it's driving me nuts.  Help.
>>
>>I have a Win2K3 server running AD as a zone master.  I'm trying to set up
>>a slave on a Mandriva 2006 box running bind 9.3.1.
>>
>>Here's a snippet from the /etc/named.conf;
>>
>>zone "texasflood.us" {
>>        type slave;
>>        masters {
>>                192.168.0.46;
>>                };
>>        file "/etc/texasflood.us.hosts";
>>        check-names ignore;
>>        allow-update {
>>                192.168.0.46;
>>                };
>>        allow-transfer {
>>                192.168.0.46;
>>                };
>>        };
>>zone "0.168.192.in-addr.arpa" {
>>        type slave;
>>        masters {
>>                192.168.0.46;
>>                };
>>        file "/etc/192.168.0.rev";
>>        check-names ignore;
>>        };
>>server 192.168.0.46 {
>>        };
>>server 192.168.0.48 {
>>        };
>>
>>---------------------------
>>
>>...and entries from syslog;
>>
>>Jul  3 09:19:40 sam named[3229]: client 192.168.0.46#4877: received notify for zone 'texasflood.us'
>>Jul  3 09:19:40 sam named[3229]: zone texasflood.us/IN: Transfer started.
>>Jul  3 09:19:40 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: connected using 192.168.0.15#32799
>>Jul  3 09:19:41 sam named[3229]: dumping master file: /etc/tmp-jHyQa1q7Z1: open: permission denied
>>Jul  3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: failed while receiving responses: permission denied
>>Jul  3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: end of transfer
>>Jul  3 09:20:13 sam named[3229]: client 192.168.0.46#4877: received notify for zone 'texasflood.us'
>>Jul  3 09:20:13 sam named[3229]: zone texasflood.us/IN: Transfer started.
>>Jul  3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: connected using 192.168.0.15#32800
>>Jul  3 09:20:13 sam named[3229]: dumping master file: /etc/tmp-g5gixf2xhM: open: permission denied
>>Jul  3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: failed while receiving responses: permission denied
>>Jul  3 09:20:13 sam named[3229]: transfer of 'texasflood.us/IN' from 192.168.0.46#53: end of transfer
>>Jul  3 09:21:10 sam named[3229]: client 192.168.0.46#4877: received notify for zone '0.168.192.in-addr.arpa'
>>Jul  3 09:21:10 sam named[3229]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
>>Jul  3 09:21:10 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.46#53: connected using 192.168.0.15#32801
>>Jul  3 09:21:11 sam named[3229]: dumping master file: /etc/tmp-37BqztnzJS: open: permission denied
>>Jul  3 09:21:11 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.46#53: failed while receiving responses: permission d
>>enied
>>Jul  3 09:21:11 sam named[3229]: transfer of '0.168.192.in-addr.arpa/IN'
>>from 192.168.0.46#53: end of transfer
>>
>>----------------------------------
>>
>>zone transfers are working from the master to another Win2K3 server set as
>>a slave, just not the bind slave.  Any help / suggestions would be
>>apprecaited.
>>
>>TIA,
>>
>>Bill
> 
> I do not have access to the list archives right now to see if there
> have been any replies.  There appear to be two problems:
> 
> a) Jul  3 09:19:41 sam named[3229]: dumping master file:
>      /etc/tmp-jHyQa1q7Z1: open: permission denied
> 
> b) Jul  3 09:19:41 sam named[3229]: transfer of 'texasflood.us/IN'
>      from 192.168.0.46#53: failed while receiving responses:
>      permission denied
> 
> a) It appears that the userid under which BIND is running does not
>    have permissions to create the temporary file
> 
>         /etc/tmp-jHyQa1q7Z1
> 
>    in which BIND wants to store the transferred zone.  What are the
>    permissions on the 
> 
>         /etc
> 
>    directory?
> 
> b) There are a number of reasons why W2k DNS could deny a zone transfer.
>    The denied transfers are not logged in the EventLog, if I remember
>    correctly.  One of the MS DNS support staff told me that MS did not
>    want to fill up the EventLog with these denied transfer messages.
>    I have formally asked MS to produce these EventLog records and to
>    include information as to why the transfer was denied.
> 
>    What do you have for the zone properties in the Zone Transfer tab?
>    In my case, I have six BIND slave servers, with a total of ten IP
>    addresses (two of the slaves have three NICs).  As I did not want to
>    enter all ten IP addresses for each of my W2k zones, I chose to
>    use
> 
>         Allow zone transfers to servers in the NS Tab.
>         Notify servers in the NS Tab.
> 
>    This works except in the case where the 
> 
>         IP-address  IN  PTR  DNSSlaveServer
> 
>    record is not in the W2k DNS cache.  When a zone transfer request
>    arrives from an IP address, the MS W2k DNS code checks its cache to
>    see if that IP address equates to a DNS server name in the NS Tab.
>    If that IP address is not in the cache, then the zone transfer
>    request is denied.  One of the DNS developers told me that the code
>    does not do the normal DNS query to locate the PTR record because
>    there is a chance that the record that is returned could be from a
>    rogue server and contain fake information.  What we do on the MS W2k
>    DNS Server is run a script periodically (three times a day?):
> 
>         nslookup BIND-slave-name W2k-master-name
> 
>    for each of the six slaves.  This insures that the IP addresses of
>    all of the BIND slaves are always in the W2k DNS cache.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994


Thanks for the response Barry.

bind is running under the named uid - that answers the question about
being unable to write the /etc/tmp... file.  As I don't want to give that
uid write access to /etc I'll chroot it.

The permission denied still perplexes me.  the bind server is listed on
the nameserver tab on the win2k3 boxes.  there is a ptr record for it
though.  I already have set the options
 
        Allow zone transfers to servers in the NS Tab.
        Notify servers in the NS Tab.

I'm thinking (hoping) that by solving 'a' that 'b' will get resolved.  We
shall see.  thanks for the input.  BTW - I agree about the MS event log. 
It's very good at giving useless information.  The AD master has line upon
line of "transfer initiated to..." but no result.

Bill

More information about the bind-users mailing list