From owner-freebsd-current@FreeBSD.ORG Wed Nov 3 20:54:07 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3627E16A4CE; Wed, 3 Nov 2004 20:54:07 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id E913343D1F; Wed, 3 Nov 2004 20:54:06 +0000 (GMT) (envelope-from DougB@dougbarton.net) Received: from [192.0.35.106] (ob.icann.org[192.0.35.106]) by comcast.net (rwcrmhc12) with ESMTP id <2004110320540501400rfjooe> (Authid: domain_name_tsar); Wed, 3 Nov 2004 20:54:06 +0000 Message-ID: <41894566.5070503@dougbarton.net> Date: Wed, 03 Nov 2004 12:53:58 -0800 From: Doug Barton User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gregory Neil Shapiro References: <4188039D.8020109@aminor.no> <20041103185010.GP2916@horsey.gshapiro.net> In-Reply-To: <20041103185010.GP2916@horsey.gshapiro.net> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 04 Nov 2004 13:19:47 +0000 cc: freebsd-current@freebsd.org Subject: Re: Problem with RELENG_5_3, BIND9 and dynamic updates X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 20:54:07 -0000 Gregory Neil Shapiro wrote: >>It looks like BIND9, as delivered in the base, has problems when zones >>are using dynamic DNS updates. >> >>This is because it runs as user "bind", but that user doesn't have write >>access to /var/named/etc/namedb/master - the script /etc/rc.d/named uses >>mtree to set that directory as follows: >> >>Nov 2 22:40:31 vimes kernel: Nov 2 22:40:31 vimes named[98525]: >>master/aminor.no.zone.jnl: create: permission denied > > > Perhaps this patch will help: > > Index: mtree/BIND.chroot.dist > =================================================================== > RCS file: /src/FreeBSD/ncvs/src/etc/mtree/BIND.chroot.dist,v > retrieving revision 1.5 > diff -u -r1.5 BIND.chroot.dist > --- mtree/BIND.chroot.dist 29 Sep 2004 03:43:10 -0000 1.5 > +++ mtree/BIND.chroot.dist 3 Nov 2004 18:45:06 -0000 > @@ -9,6 +9,8 @@ > .. > etc > namedb > + dynamic uname=bind > + .. > master > .. > slave uname=bind > Index: namedb/named.conf > =================================================================== > RCS file: /src/FreeBSD/ncvs/src/etc/namedb/named.conf,v > retrieving revision 1.19 > diff -u -r1.19 named.conf > --- namedb/named.conf 30 Sep 2004 09:57:36 -0000 1.19 > +++ namedb/named.conf 3 Nov 2004 18:48:06 -0000 > @@ -102,6 +102,22 @@ > }; > }; > > +// An example dynamic zone > +key "exampleorgkey" > +{ > + algorithm hmac-md5; > + secret "sf87HJqjkqh8ac87a02lla=="; > +}; > + > +zone "example.org" { > + type master; > + allow-update > + { > + key "exampleorgkey"; > + }; > + file "dynamic/example.org"; > +}; > + > zone "0.168.192.in-addr.arpa" { > type slave; > file "slave/0.168.192.in-addr.arpa"; > Greg, that is the direction I was thinking on this, yes. The only minor nit I'd do differently is to move the { for allow-update up to the same line for style consistency reasons. Feel free to commit this to HEAD if you like, otherwise I'll get to this asap. Thanks, Doug -- If you're never wrong, you're not trying hard enough