Date: Sat, 11 Oct 2014 18:05:07 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-net@freebsd.org Subject: A couple of trivial BIND (dynamic update) questions Message-ID: <22652.1413075907@server1.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
I've just been messing around with the nsupdate program, which,
as I'm sure you all know, is part of the BIND 9 package.
For now, I'm just using in in "local" mode, i.e. invoking it with
the -l option.
I did managed to get it to perform a dynamic update, but I encountered
a cople of slight, and perhaps FreeBSD-specific oddities along the
way. I want to ask about those.
Firstly, various online sources, and the nsupdate man page itself
say that the name server should create a file called:
/var/run/named/session.key
when the server is started up with at least one "update-policy local;"
clause within one of the zone {} clauses within the named.conf file.
On my FreeBSD system howver, this file was instead created over here:
/var/named/var/run/named/session.key
So, um, how come? The default location wasn't good enough?
I saw that the pid file, which typically (on other systems) would
have appeared within the /var/run/named directory also, was a symlink
pointing over to /var/named/var/run/named/pid, so in order to make
the nsupdate utility work I just followed suit and created a symlink
called /var/run/named/session.key and pointed it over to the actual
key file, /var/named/var/run/named/session.key. I hope that was
the Right Thing To Do. If not, somebody please tell me.
The more troublesome problem however is that at first, my dynamic
updates were failing with SERVFAIL errors, and I couldn't figure
out why until I looked at the tail of /var/log/messages. Apparently,
BIND wants to write a ".jnl" (journal?) file in the same directory as
the one that contains the actual zone file for the zone being dynamically
updated. On FreeBSD, and for my master zones, that would be the
directory /var/named/etc/namedb/master. Unfortunately, that directory
is owned by root/wheel (with permissions set to 0755) which rendered
it unwritable by named, which is apparently run under the user ID
"bind" (and, I am guessing, with the GID set to the "bind" group).
As soon as I changed the permissions on /var/named/etc/namedb/master
to 0777, sure enough my dynamic updates started to work. But of
course, I _do not_ want to leave it like that. I just set it that
way for a quicky temporary test.
So, um, what is the Right Solution here? Do I need to re-jigger
the permissions on /var/named/etc/namedb/master to 0775 and then
add user-ID "bind" to the wheel group in /etc/groups?
Something tells me that I can't have been the first person to have
ever encountered the above two problems. And it appears like they
may perhaps both be FreeBSD-specific, which is why I'm asking about
them here, rather than on the bind-users mailing list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22652.1413075907>