Issues running bind 9 on Ubuntu 9.10 server

I am migrating a primary DNS server from Solaris 10 running bind 9.3.4-P1 to Ubuntu 9.10 running bind 9.6.1-P2 and I am running into issues even running the named process.

I have current copied from the running primary and secondary DNS servers (both on Solaris 10) and I put them in /var/dns (same location as previously used). I updated the /etc/bind/named.conf file and when I attempt to start bind "/etc/init.d/bind9 start" it fails.

The various log files show that it is having permission problems accessing the /var/dns/named.root. Even changing the file and the /var/dns directory to mode 777 I get the same error message.

Attached is from the syslog generated when attempting to start named

All help is appreciated

syslog-tail
jvosslerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jvosslerAuthor Commented:
Here is the output files from checkconf (stderr and stdout). It is also complaining about the reverse localhost zone for some reason.

checkconf.err.txt
0
jvosslerAuthor Commented:
Here is the stdout from checkconf
checkconf.out.txt
0
linuxgfxCommented:
could you please paste the bind configuration files here it seams a RNDC poblem to me, also it could be a path error because debian uses bind in a chroot diffrent from Solaris which uses in a normal dir.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

jvosslerAuthor Commented:
Right now I am not using chroot afaik. I did not configure it for that.

Here are the configuration files from /etc/bind

 *** rndc.conf

# Start of rndc.conf
key "rndc-key" {
      algorithm hmac-md5;
      secret "dzkOoDCGH9w3Bp1imCUqbA==";
};

options {
      default-key "rndc-key";
      default-server 127.0.0.1;
      default-port 953;
};
# End of rndc.conf



 *** named.conf

// MASTER & CACHING NAME SERVER for IT Infrastructures, INC.
// maintained by: just me
// CHANGELOG:
// 1. Fri 05 Sep 2008 - Created
// 2. Mon 01 Mar 2010 - migrated to Linux (Ubuntu 9.10 server)
// 3.
//
//
//include "/etc/bind/rndc.key";
//
key "rndc-key" {
      algorithm hmac-md5;
      secret "fRRny51stZtCg/ArATeiBA==";
};
//
controls {
  inet 127.0.0.1
  port 953
  allow {
    127.0.0.1;
  }
  keys {
    rndc-key;
  };
};
options {
  directory "/var/dns";
  dump-file "/var/log/named/named.dump";
  statistics-file "/var/log/named/named.stats";
  //###zone-statistics yes;
  // version statement - inhibited for security
  // (avoids hacking any known weaknesses)      
  version "get lost";
  // Set the cache size above the 32M default
  //###max-cache-size 512M;
  // Set location of PID file
  pid-file "rndc.pid";
  forwarders {
    207.69.188.185;
    207.69.188.186;
    207.69.188.187;
  };
  // optional - disables all transfers
  // slaves allowed in zone clauses
  allow-transfer {192.168.5.103;
                  192.168.5.104;
                  192.168.5.105;
                  192.168.5.106;
                  192.168.1.1;
                  192.168.2.1;
                  192.168.3.1;
                  192.168.4.1;
                  192.168.5.1;
                  192.168.6.1;
                  192.168.7.1;
                  192.168.8.1;
                  192.168.9.1;
                  72.19.183.2;
  };
      // Closed DNS - permits only local IPs to issue recursive queries
  // remove if an Open DNS required to support all users
  // or add additional ranges
  allow-recursion {192.168.1.0/24;
                                       192.168.2.0/24;
                                       192.168.3.0/24;
                                       192.168.4.0/24;
                                       192.168.5.0/24;
                                       192.168.6.0/24;
                                       192.168.7.0/24;
                                       192.168.8.0/24;
                                       192.168.9.0/24;
  };
};
//
// log to /var/log/dns/example.log all events from
// info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
logging{
  channel example_log{
   file "/var/log/named/example.log" versions 3 size 2m;
   severity info;
   print-severity yes;
   print-time yes;
   print-category yes;
 };
 category default{
  example_log;
 };
};
//
// required zone for recursive queries
//
zone "." {
  type hint;
  file "named.root";
};
//
//
// Set up all zones for the data center
//
//
zone "itinfrastructures.net" in{
  type master;
  file "master.itinfrastructures.net";
};
zone "vrcontracting.com" in{
  type master;
  file "master.vrcontracting.com";
};
zone "vosslerangus.com" in{
  type master;
  file "master.vosslerangus.com";
};
zone "vosslerranch.com" in{
  type master;
  file "master.vosslerranch.com";
};
//
// required local host domain
//
zone "localhost" in{
  type master;
  file "master.localhost";
  allow-update{none;};
};
//
// localhost reverse map
//
zone "0.0.127.in-addr.arpa" in{
      type master;
  file "localhost.rev";
  allow-update{none;};
};
//
//
// The publically addressable IP space reverse records
//
//
zone "183.19.72.IN-ADDR.ARPA" in{
  type master;
  file "72.19.183.rev";
};
//
//
// All reverse maps for all 9 VLANs
//
//
// reverse map for class C 192.168.1.0
zone "1.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.1.rev";
};
// reverse map for class C 192.168.2.0
zone "2.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.2.rev";
};
// reverse map for class C 192.168.3.0
zone "3.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.3.rev";
};
// reverse map for class C 192.168.4.0
zone "4.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.4.rev";
};
// reverse map for class C 192.168.5.0
zone "5.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.5.rev";
};
// reverse map for class C 192.168.6.0
zone "6.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.6.rev";
};
// reverse map for class C 192.168.7.0
zone "7.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.7.rev";
};
// reverse map for class C 192.168.8.0
zone "8.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.8.rev";
};
// reverse map for class C 192.168.9.0
zone "9.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.9.rev";
};
0
Jan SpringerCommented:
The text files you uploaded show two pieces of data:  the localhost inverse file is incorrect and that several zones loaded.

Can you verify that bind is not running "ps awx|grep named"?

Fix "localhost.rev"

I would expect it to look something like this:

$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      2010041001 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.


'cat /etc/init.d/bind9'

Are you running bind as root or as a non-priv account like 'named'?
0
jvosslerAuthor Commented:
Here is the localhost.rev file I have been using

$TTL    24h
;
; reverse localhost definition
;
localhost.       IN      SOA     localhost. root.localhost.  (
            2008090810      ; serial number
            4h                        ; refresh slaves
            1h                        ; retry interval
            10w                  ; slave life time
            30m                  ; negative cache TTL
      )

        IN      NS      localhost.
1       IN      PTR     localhost.


There is no named process running and the rdnc.pid file is zero length.

Right now I am attempting to start the process as root.

0
Jan SpringerCommented:
I'd like to you try to start named (get the date/time first).  After attempt:

  grep named /var/log/named/example.log | grep "MMM DD hh:mm"

The log file data at the time of starting named, should give us more information.
0
jvosslerAuthor Commented:
the file /var/log/named/example.log is an empty file. Attempting to start bind9 via "/etc/init.d/bind9 start" does not add any lines to this file.

0
Jan SpringerCommented:
Under this section:

logging{
  channel example_log{


Add this:
      syslog daemon;

Then we'll see if we can capture data in the specified log file or the messages file.
0
jvosslerAuthor Commented:
I am getting output in the messages file, as I posted earlier.

Apr  8 20:30:36 fw1 named[4036]: starting BIND 9.6.1-P2 -u bind
Apr  8 20:30:36 fw1 named[4036]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr  8 20:30:36 fw1 named[4036]: adjusted limit on open files from 1024 to 1048576
Apr  8 20:30:36 fw1 named[4036]: found 8 CPUs, using 8 worker threads
Apr  8 20:30:36 fw1 named[4036]: using up to 4096 sockets
Apr  8 20:30:36 fw1 named[4036]: loading configuration from '/etc/bind/named.conf'
Apr  8 20:30:36 fw1 named[4036]: using default UDP/IPv4 port range: [1024, 65535]
Apr  8 20:30:36 fw1 named[4036]: using default UDP/IPv6 port range: [1024, 65535]
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface lo, 127.0.0.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth0, 72.19.183.2#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth1, 192.168.1.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth2, 192.168.2.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth3, 192.168.3.10#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth4, 192.168.4.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth5, 192.168.5.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth6, 192.168.6.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth7, 192.168.7.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth8, 192.168.8.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth9, 192.168.9.1#53
Apr  8 20:30:36 fw1 named[4036]: could not configure root hints from 'named.root': permission denied
Apr  8 20:30:36 fw1 named[4036]: loading configuration: permission denied
Apr  8 20:30:36 fw1 named[4036]: exiting (due to fatal error)
Apr  8 20:30:36 fw1 kernel: [206981.178545] type=1503 audit(1268105436.188:25): operation="open" pid=4045 parent=4035 profile="/usr/sbin/named" requested_mask="::r" denied_mask="::r" fsuid=103 ouid=0 name="/var/dns/named.root"



I also have similar output in the kern.log and the syslog

0
Jan SpringerCommented:
ps -Af | grep named

ls -ld /var/dns
ls -l /var/dns
0
jvosslerAuthor Commented:
Here is the output you requested.

I have tried various permissions from the current 644 to 777 on named.root but the error does not change.

fw1:/var/dns> ps -Af | grep named

root     14618 14612  0 08:15 pts/0    00:00:00 grep named

fw1:/var/dns> ls -ld /var/dns

drwxrwxrwx 2 root root 4096 2010-03-08 21:18 /var/dns

fw1:/var/dns> ls -l /var/dns

total 124

drwxrwxrwx  2 root root 4096 2010-03-08 21:18 .

drwxr-xr-x 15 root root 4096 2004-10-12 16:42 ..

-rw-r--r--  1 root root  319 2010-03-08 21:18 127.0.0.rev

-rw-r--r--  1 root root  670 2010-03-01 20:35 192.168.1.rev

-rw-r--r--  1 root root  720 2010-03-01 20:35 192.168.2.rev

-rw-r--r--  1 root root  797 2010-03-01 20:35 192.168.3.rev

-rw-r--r--  1 root root  721 2010-03-01 20:35 192.168.4.rev

-rw-r--r--  1 root root  875 2010-03-01 20:35 192.168.5.rev

-rw-r--r--  1 root root  971 2010-03-01 20:35 192.168.6.rev

-rw-r--r--  1 root root  664 2010-03-01 20:35 192.168.7.rev

-rw-r--r--  1 root root  686 2010-03-01 20:35 192.168.8.rev

-rw-r--r--  1 root root 1010 2010-03-01 20:35 192.168.9.rev

-rw-r--r--  1 root root  857 2010-03-01 20:35 72.19.183.rev

-rwxr-xr-x  1 root root 1248 2010-03-01 20:35 arp-file

-rwxr-xr-x  1 root root  406 2010-03-04 05:47 get.named.root

-rw-r--r--  1 root root  319 2010-03-01 20:35 localhost.rev

-rw-r--r--  1 root root 7002 2010-03-01 20:35 master.itinfrastructures.net

-rw-r--r--  1 root root  306 2010-03-01 20:35 master.localhost

-rw-r--r--  1 root root  620 2010-03-01 20:35 master.vosslerangus.com

-rw-r--r--  1 root root  620 2010-03-01 20:35 master.vosslerranch.com

-rw-r--r--  1 root root  601 2010-03-01 20:35 master.vrcontracting.com

-rw-r--r--  1 root root 2938 2010-03-08 20:37 named.root

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0202201004:07

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0208200904:07

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0702200911:44

-rw-r--r--  1 root root 2876 2010-03-01 20:35 named.root.20080809

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.new

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.orig

-rw-r--r--  1 root root  159 2010-03-01 20:35 named.stats

-rwxrwxrwx  1 root root    0 2010-03-08 21:01 rndc.pid

-rwxr-xr-x  1 root root   49 2010-03-01 20:35 update

fw1:/var/dns>
0
Jan SpringerCommented:
Which named.conf are you using?  The one in /etc/bind/?
0
jvosslerAuthor Commented:
Yes,

I am using the named.conf that is in /etc/bind.  The named.conf that is in the /var/dns directory was just a copy from the Solaris system I am migrating from. If you think it is causing an issue it can be deleted.

0
jvosslerAuthor Commented:
Looks like I already deleted the named.conf that was in /var/dns.

A search on the system for all named.conf files found only the single file in /etc/bind.
0
Jan SpringerCommented:
You're running selinux, yes?
0
Jan SpringerCommented:
ls -Z /var/dns

ls -Z /etc/bind/named.conf

cat /var/dns/named.root
0
jvosslerAuthor Commented:
I am running ubuntu 9.10 server and I have NOT installed selinux
0
jvosslerAuthor Commented:
I have a cron job that downloads the named.root periodically.

Here is the output you requested.

fw1:/var/dns> ls -Z /var/dns

? .             ? 192.168.9.rev             ? named.root.0202201004:07

? ..             ? 72.19.183.rev             ? named.root.0208200904:07

? 127.0.0.rev       ? arp-file                   ? named.root.0702200911:44

? 192.168.1.rev  ? get.named.root             ? named.root.20080809

? 192.168.2.rev  ? localhost.rev             ? named.root.new

? 192.168.3.rev  ? master.itinfrastructures.net  ? named.root.orig

? 192.168.4.rev  ? master.localhost             ? named.stats

? 192.168.5.rev  ? master.vosslerangus.com       ? rndc.pid

? 192.168.6.rev  ? master.vosslerranch.com       ? update

? 192.168.7.rev  ? master.vrcontracting.com

? 192.168.8.rev  ? named.root


fw1:/var/dns> ls -Z /etc/bind/named.conf

? /etc/bind/named.conf


fw1:/var/dns> cat /var/dns/named.root

;       This file holds the information on root name servers needed to

;       initialize cache of Internet domain name servers

;       (e.g. reference this file in the "cache  .  <file>"

;       configuration file of BIND domain name servers).

;

;       This file is made available by InterNIC

;       under anonymous FTP as

;           file                /domain/db.cache

;           on server           FTP.INTERNIC.NET

;       -OR-                    RS.INTERNIC.NET

;

;       last update:    Dec 12, 2008

;       related version of root zone:   2008121200

;

; formerly NS.INTERNIC.NET

;

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4

A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30

;

; FORMERLY NS1.ISI.EDU

;

.                        3600000      NS    B.ROOT-SERVERS.NET.

B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201

;

; FORMERLY C.PSI.NET

;

.                        3600000      NS    C.ROOT-SERVERS.NET.

C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12

;

; FORMERLY TERP.UMD.EDU

;

.                        3600000      NS    D.ROOT-SERVERS.NET.

D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90

;

; FORMERLY NS.NASA.GOV

;

.                        3600000      NS    E.ROOT-SERVERS.NET.

E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10

;

; FORMERLY NS.ISC.ORG

;

.                        3600000      NS    F.ROOT-SERVERS.NET.

F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241

F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F

;

; FORMERLY NS.NIC.DDN.MIL

;

.                        3600000      NS    G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4

;

; FORMERLY AOS.ARL.ARMY.MIL

;

.                        3600000      NS    H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53

H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235

;

; FORMERLY NIC.NORDU.NET

;

.                        3600000      NS    I.ROOT-SERVERS.NET.

I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17

;

; OPERATED BY VERISIGN, INC.

;

.                        3600000      NS    J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30

J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30

;

; OPERATED BY RIPE NCC

;

.                        3600000      NS    K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129

K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1

;

; OPERATED BY ICANN

;

.                        3600000      NS    L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42

L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42  

;

; OPERATED BY WIDE

;

.                        3600000      NS    M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33

M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35

; End of File

fw1:/var/dns>
0
Jan SpringerCommented:
Let's start with this -- as root (bind presumed to be the group name for user bind):

chown -R root:bind /var/dns

chmod 750 /var/dns

chown root:bind <configuration, hints and zone db/rev files>

chmod 640 /var/dns/named.root
0
jvosslerAuthor Commented:
From /etc/group

bind:x:108:


From /etc/passwd

bind:x:103:108::/var/cache/bind:/bin/false


I performed the commands you suggested but got the same results and log messages when I attempted to start bind9


0
Jan SpringerCommented:
change the login directory for user 'bind' to /var/dns

cp /etc/bind/named.conf /var/dns/
mv /etc/bind/named.conf /etc/bind/named.conf.prod
ln -s /etc/bind/named.conf /var/dns/named.conf
0
jvosslerAuthor Commented:
I changed the home directory for bind to /var/dns

I copied and then moved the named.conf and set up the symbolic link via "ln -s /var/dns/named.conf /etc/bind/named.conf "

When attempting to start bind9 I get a permissions problem opening /etc/bind/named.conf  I tried it with the /var/dns/named.conf at owner root:root and later with root:bind



0
Jan SpringerCommented:
chown root:bind /etc/bind/named.conf

chown root:bind /var/dns/named.conf

Your link statement is incorrect.  You want named.conf in /var/dns and a link in /etc/bind/:

ls -l /etc/bind/named.conf should look something like this:

lrwxrwxrwx 1 root bind XX Apr 13 hh:mm /etc/bind/named.conf -> /var/dns/named.conf
0
jvosslerAuthor Commented:
I did move the file to /var/dns and the link existed in /etc/bind

The ln statement you put the target first and then the link name.  From the man page

 ln [OPTION]... [-T] TARGET LINK_NAME   (1st form)
In the 1st form, create a link to TARGET with the name LINK_NAME.

I am getting permission denied for accessing the /etc/bind/named.conf file


fw1:/etc/bind> ls -l /etc/bind
total 28
drwxr-sr-x   2 root bind 4096 2010-04-13 14:22 .
drwxr-xr-x 103 root root 4096 2010-04-14 05:51 ..
-rw-r--r--   1 root bind 4321 2010-03-08 21:19 named.bak
lrwxrwxrwx   1 root bind   19 2010-04-13 14:22 named.conf -> /var/dns/named.conf
-rw-r--r--   1 root bind 4148 2010-01-08 14:17 named.conf.orig
-rw-r--r--   1 root bind  202 2010-03-08 21:00 rndc.conf
fw1:/etc/bind> ls -l /var/dns
total 132
drwxr-x---  2 root bind 4096 2010-04-13 14:20 .
drwxr-xr-x 15 root root 4096 2004-10-12 16:42 ..
-rw-r--r--  1 root bind  319 2010-03-08 21:18 127.0.0.rev
-rw-r--r--  1 root bind  670 2010-03-01 20:35 192.168.1.rev
-rw-r--r--  1 root bind  720 2010-03-01 20:35 192.168.2.rev
-rw-r--r--  1 root bind  797 2010-03-01 20:35 192.168.3.rev
-rw-r--r--  1 root bind  721 2010-03-01 20:35 192.168.4.rev
-rw-r--r--  1 root bind  875 2010-03-01 20:35 192.168.5.rev
-rw-r--r--  1 root bind  971 2010-03-01 20:35 192.168.6.rev
-rw-r--r--  1 root bind  664 2010-03-01 20:35 192.168.7.rev
-rw-r--r--  1 root bind  686 2010-03-01 20:35 192.168.8.rev
-rw-r--r--  1 root bind 1010 2010-03-01 20:35 192.168.9.rev
-rw-r--r--  1 root bind  857 2010-03-01 20:35 72.19.183.rev
-rwxr-xr-x  1 root bind 1248 2010-03-01 20:35 arp-file
-rwxr-xr-x  1 root bind  406 2010-03-04 05:47 get.named.root
-rw-r--r--  1 root bind  319 2010-03-01 20:35 localhost.rev
-rw-r--r--  1 root bind 7002 2010-03-01 20:35 master.itinfrastructures.net
-rw-r--r--  1 root bind  306 2010-03-01 20:35 master.localhost
-rw-r--r--  1 root bind  620 2010-03-01 20:35 master.vosslerangus.com
-rw-r--r--  1 root bind  620 2010-03-01 20:35 master.vosslerranch.com
-rw-r--r--  1 root bind  601 2010-03-01 20:35 master.vrcontracting.com
-rw-r--r--  1 root bind 4321 2010-04-13 14:20 named.conf
-rw-r-----  1 root bind 2938 2010-03-08 20:37 named.root
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0202201004:07
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0208200904:07
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0702200911:44
-rw-r--r--  1 root bind 2876 2010-03-01 20:35 named.root.20080809
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.new
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.orig
-rw-r--r--  1 root bind  159 2010-03-01 20:35 named.stats
-rwxrwxrwx  1 root bind    0 2010-03-08 21:01 rndc.pid
-rwxr-xr-x  1 root bind   49 2010-03-01 20:35 update
fw1:/etc/bind>
0
Jan SpringerCommented:
ls -ld /etc/bind
ls -ld /var/dns
ls -l /usr/sbin/named
  should be -> chmod 755 /usr/sbin/named

With named running as user 'bind', no selinux, no chroot and directories, files owned by group bind and user bind allowed to run /usr/sbin/named, you should not have permissions errors.

Verify the above ownership and then run as and let me know what the logs say:

/usr/sbin/named -c /var/dns/named.conf  -u bind
0
jvosslerAuthor Commented:
Here is the output you requested, along with the log file output from the named command

fw1:/etc/bind> ls -ld /etc/bind

drwxr-sr-x 2 root bind 4096 2010-04-13 14:22 /etc/bind


fw1:/etc/bind> ls -ld /var/dns

drwxr-x--- 2 root bind 4096 2010-04-13 14:20 /var/dns


fw1:/etc/bind> ls -l /usr/sbin/named

-rwxr-xr-x 1 root root 479768 2009-12-04 08:34 /usr/sbin/named


fw1:/etc/bind> /usr/sbin/named -c /var/dns/named.conf -u bind

fw1:/etc/bind>


syslog tail

Apr 14 07:43:03 fw1 named[15251]: starting BIND 9.6.1-P2 -c /var/dns/named.conf -u bind
Apr 14 07:43:03 fw1 named[15251]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr 14 07:43:03 fw1 named[15251]: adjusted limit on open files from 1024 to 1048576
Apr 14 07:43:03 fw1 named[15251]: found 8 CPUs, using 8 worker threads
Apr 14 07:43:03 fw1 named[15251]: using up to 4096 sockets
Apr 14 07:43:03 fw1 named[15251]: loading configuration from '/var/dns/named.conf'
Apr 14 07:43:03 fw1 kernel: [3354128.463996] type=1503 audit(1271252583.472:49): operation="open" pid=15260 parent=15250 profile="/usr/sbin/named" requested_mask="::r" denied_mask="::r" fsuid=103 ouid=0 name="/var/dns/named.conf"
Apr 14 07:43:03 fw1 named[15251]: none:0: open: /var/dns/named.conf: permission denied
Apr 14 07:43:03 fw1 named[15251]: loading configuration: permission denied
Apr 14 07:43:03 fw1 named[15251]: exiting (due to fatal error)



daemon.log tail output

Apr 14 07:43:03 fw1 named[15251]: starting BIND 9.6.1-P2 -c /var/dns/named.conf -u bind
Apr 14 07:43:03 fw1 named[15251]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr 14 07:43:03 fw1 named[15251]: adjusted limit on open files from 1024 to 1048576
Apr 14 07:43:03 fw1 named[15251]: found 8 CPUs, using 8 worker threads
Apr 14 07:43:03 fw1 named[15251]: using up to 4096 sockets
Apr 14 07:43:03 fw1 named[15251]: loading configuration from '/var/dns/named.conf'
Apr 14 07:43:03 fw1 named[15251]: none:0: open: /var/dns/named.conf: permission denied
Apr 14 07:43:03 fw1 named[15251]: loading configuration: permission denied
Apr 14 07:43:03 fw1 named[15251]: exiting (due to fatal error)

0
Jan SpringerCommented:
Are you running apparmor?
0
jvosslerAuthor Commented:
Yes. Apparmor is installed by default with Ubuntu since 8.10 (Intrepid). I am running 9.10 (Karmic)


Do I need to either disable apparmor or change the configuration?

0
Jan SpringerCommented:
yes.  modify the configuration to allow bind user to run that app.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jvosslerAuthor Commented:
I added a line in the usr.bin.named file under /etc/apparmor.d to include read-write access to /var/dns. I had to make it writable since the rndc.pid file is located there.

I also had to make the /var/dns directory group writable for group bind.


Would it be prudent to relocated the named.conf back to /etc/bind ?  And should I define the rndc.pid file to /etc/bind and remove the write permissions to /var/dns ?


All my previous Ubuntu work has been on 8.04 LTS, this has apparmor installed but not configured. So I am reading up on this subset of selinux.
0
Jan SpringerCommented:
I run bind in a chroot and so, have links from the non-chroot files pointing to the chrooted files.  My pid is in the chrooted directory structure, as well.

So, your pid file in the standard pid location or within the /var/dns structure makes sense.

A link from /etc/bind/named.conf to /var/dns/named.conf also makes sense.

I prefer to follow standards for the installation and to be consistent across like platforms (i.e., Ubuntu installs).  I don't use Ubuntu and so cannot advise as to the best location for those files.
0
jvosslerAuthor Commented:
Thank you for all your help. It's been a real education.
0
jvosslerAuthor Commented:
This expert stuck with me through a great deal of tedious trouble shooting. Quickly responded to every post and solved the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.