Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Sep 2006 14:34:50 -0400
From:      "David Robillard" <david.robillard@gmail.com>
To:        "Jonathan Horne" <freebsd@dfwlp.com>
Cc:        FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: trouble with a pair of bind9 servers
Message-ID:  <226ae0c60609081134na018cc4r9f3369e03626d018@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
> the trouble im having is, that my slave (5.5-p3) will not transfer the zone
> from the master (6.1-p4).  my /var/log/messages is filled with these:
>
> Sep  7 21:50:24 fbsd55-2 named[1847]: exiting
> Sep  7 21:50:26 fbsd55-2 named[1924]: starting BIND 9.3.2 -t /var/named -u bind
> Sep  7 21:50:26 fbsd55-2 named[1924]: /etc/namedb/named.conf:40: option 'allow-update' is not allowed in 'slave' zone 'dlptest.com'

Hi Jonathan,

First, I would recommend you to send this question to the BIND mailing
list at <bind-users@isc.org>. See ISC's website for more subscribing
at http://www.isc.org/index.pl?/sw/bind/bind-lists.php and the
archives at http://marc.theaimsgroup.com/?l=bind-users

Now, this first error is self explanatory: you can't use
'allow-update' in a slave zone, only in the master. It makes sense,
because if the slave had updates, then it would not be able to tell
the master about those updates and the zones would become inconsistent
between your machines (resulting in quite a mess). The other way
around is better: update the master which will then send notifiiy
messages to your slave who in turn will download the updates.

So just remove 'allow-update' in the slave's named.conf(5).


> Sep  7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has 0 SOA records
> Sep  7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has no NS records

These point to a bad zone file. You should double check your
/etc/namedb/dlptest.com.i.hosts file. Make sure you have both SOA and
NS records in them. Consider using the named-checkzone(8) command to
check your zone files. See the man page for named-checkzone(8) for
more info.

Hummm, I know it's not my business, but may I suggest you another name
for your zone files? I personally use "db.dlptest.com.internal" and
"db.dlptest.com.external" for the master files. For the slave, I use
"bak.dlptest.com.internal" and "bak.dlptest.com.external". IMHO it's a
little more clear whether you're working on a internal slave file or
an external master file :)


> Sep  7 21:50:26 fbsd55-2 named[1924]: running
> Sep  7 21:50:27 fbsd55-2 named[1924]: dumping master
> file: /etc/namedb/tmp-UZF5mCCxZP: open: permission denied
> Sep  7 21:50:27 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from
> 192.168.125.91#53: failed while receiving responses: permission denied
> Sep  7 21:51:20 fbsd55-2 named[1924]: dumping master
> file: /etc/namedb/tmp-SaWWYxV06u: open: permission denied
> Sep  7 21:51:20 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from
> 192.168.125.91#53: failed while receiving responses: permission denied
>
> this was giving me the impression that the bind user was not able to write
> to /var/named/etc/namedb, but every time i make a chmod or chown adjustment,
> it just gets changed back:
>
> fbsd55-2# /etc/rc.d/named restart
> Stopping named.
> etc/namedb changed
>         user expected 0 found 53 modified
> Starting named.
> fbsd55-2#

I'm afraid I'm not quite sure this problem is? Maybe check your
fstab(5) for special options such as noexec or nosuid and friends.
Check the mount(8) man page if you find anything. Also have you played
with chflags(1) ?  Finally, I would check the ISC's BIND mailing list
archives to see if you can come up with something.

Good luck,

David

> ive been dinking around with this for a few hours now, and im about to pull
> what little hair i have left out.  can someone shed light on this for me
> please?  any help at all would be much appreciated!
>
> cheers,
> jonathan

-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60609081134na018cc4r9f3369e03626d018>