problem loading dynamic zone

Cuttler, Brian (HEALTH) brian.cuttler at health.ny.gov
Thu Jan 29 15:47:16 UTC 2015


Alan, Tony, Rod,

I know I tested the daemon allowing it to create the jnl file, but I have removed it and much to my surprise the zone loaded.

I removed the trailing dot, syntax now matches my other zones, though the example I'd followed had stated it was necessary (I had not understood why) I have removed it.

The zone now loads, however when I use nsupdate (I thought a reasonable test prior to complicating things with DHCP), I still get the SERVFAIL error and the named log shows
      Error: db.dynamic.jnl: create: permission denied

Protections for the /etc/dns-root (vs my /etc/dns-source directory, where I make and attempt to verify changes on my production system, dns-source/ unused on this newly installed test server) included in prior email.

The protection mask on /etc/dns-root is (skipping time stamp, etc)
drwxrwxr-x. named named /etc/dns-root

Just to make sure
# getfacl /etc/dns-root

(pardon capitalization, I have a _very_ helpful mail interface...)

#file: /etc/dns-root
# owner: named
# group: named
User:: rwx
Group::rwx
Other:r-x

And for good measure

# lsattr -d /etc/dns-root
-------------- /etc/dns-root


The problem has been moved down stream but not resolved.

Will talk with my manager about the query-source address issue, don't recall if he'd mandated this, or it's a holdover from an earlier config. It is not a setting in the example config that installed with the package.

Thank you,
Brian


-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Alan Clegg
Sent: Thursday, January 29, 2015 10:25 AM
To: bind-users at lists.isc.org
Subject: Re: problem loading dynamic zone

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Other people have taken on the question in the Subject: line, so I'll go off on a different tact and request that you remove the line:

> query-source address * port 53;

from your configuration, and if it part of a distribution's named.conf, consider opening a bug ticket with that distribution and having them remove it from their examples.

By removing the randomization from the query port, you are opening yourself to all types of mischief by those familiar with the Kaminsky vulnerability.  If you aren't familiar with it yourself, here's a guide containing 27 8×10 color glossy pictures with circles and arrows and a paragraph on the back of each one explaining what each one was to be used as evidence against us...

  http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

[And as a side note, the missing dot at the end of the Zone statement is not the problem]

AlanC
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJUylCvAAoJEOW2o5eiJADbIvMH+wSNkQQW0cSJ4JdfexeQ6+rR
dnLX7nZzVtj1HKTKNUDE4MxbQRIziT1/pxY8T8EObIqN3V63hk7nwQARYJd1ogCA
pzsnoTdmXiG3ZfhulJdxZf5ZF4EdzAtAQlJ86L4LHcZYhmGn6aqbEOzKkXTa+VYW
1lojWh0cnlgBh9nC1FswYUuQxLPvaLwXhhRDVrX66PmFiCUDQgnZvFCbgoC83JHl
dSjJFeDkVhqkZq+Q5tbh871OAAbcpNx38mKXI6Y0rzN1hIkqyLLq3B7YCqNxGi1G
WzgmhwMdEr3fBAjZtFcj8KZrSQHqFGKdM9YZR3qfkzp/ALMTvRnhnx+3MF8oKTM=
=VcMU
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list