HPE Community
Operating System - Linux
1833159 Members
3145 Online
110051 Solutions
New Discussion

Re: Slave DNS server failed to access zone

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎04-22-2006 06:00 AM

‎04-22-2006 06:00 AM

Slave DNS server failed to access zone

OS: rhel 4
Master DNS server IP: 192.168.0.9
Slave DNS server IP: 192.168.0.8

I have configure Master DNS server, its working fine.
On Master server:
/etc/named.conf
zone "test.com" IN {
type master;
file "test.com.frwd";
};
# ls -dl /var/named/chroot/var/named/
drwxr-x--- 4 root named 4096 Apr 11 16:03 /var/named/chroot/var/named/

# ls -dl /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

On Slave Server:
/etc/named.conf
zone "test.com" IN {
type slave;
file "test.com.frwd";
masters {192.168.0.9;};
};
# ls -dl /var/named/chroot/var/named/
drwxr-x--- 4 root named 4096 Apr 11 16:03 /var/named/chroot/var/named/

# ls -dl /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

Slave server failed to download the zone file from master file

On Master server
tail -f /var/log/messages
April 22 18:13:13 ns1 named[2343]:zone test.com/IN: Sending notifies serial 1997022700)
April 22 18:13:13 ns1 named[2343]:client 192.168.0.8#1027: transfer of 'test.com/IN': AXFR started

On Slave server
tail -f /var/log/messages
April 22 18:13:13 ns2 named[2438]: received notify for zone 'test.com'
April 22 18:13:13 ns2 named[2438]:dumping master file: tmp-XXXXo5lyZp: open: permission denied
April 22 18:13:13 ns2 named[2438]:transfer of 'test.com/IN' from 192.168.0.9#53: failed while receiving responses: permission denied
April 22 18:13:13 ns2 named[2438]: transfer of 'testing.com/IN' from 192.168.0.9#53: end of transfer

Plz help
Regards
Maaz
0 Kudos
12 REPLIES 12
Manuel Wolfshant
Trusted Contributor

‎04-22-2006 01:54 PM

‎04-22-2006 01:54 PM

Re: Slave DNS server failed to access zone

The error simply says that named on the slave computer is not allowed to write the zone file on the disk.
Make sure you are really using the folder you think you are. It looks to me that you also need write permissions in a temporary folder below the chroot, probably /var/named/chroot/var/tmp.

Did you install bind-chroot ?
0 Kudos
Maaz
Valued Contributor

‎04-22-2006 06:59 PM

‎04-22-2006 06:59 PM

Re: Slave DNS server failed to access zone

Thanks Dear Manuel Wolfshant for the reply/help.
Tomorow, I'll check the permission on /././tmp, and then I'll let u know

bind-chroot, yes ... I think its the default in rhel4
Regards
Maaz
0 Kudos
Steven E. Protter
Exalted Contributor

‎04-22-2006 07:07 PM

‎04-22-2006 07:07 PM

Re: Slave DNS server failed to access zone

On the master:

allow-transfer { localhost; 233.29.17.13; 19.146.119.223;};

This should permit transfer, otherwise unauthorized attempts to be slave servers will fail.

It keeps people from messing with you and setting up phishing sites and such.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Maaz
Valued Contributor

‎04-22-2006 07:22 PM

‎04-22-2006 07:22 PM

Re: Slave DNS server failed to access zone

Thanks for reply SEP
I even did the following
On Master server:
/etc/named.conf
zone "test.com" IN {
type master;
file "test.com.frwd";
allow-update {192.168.0.8;};
};

But prblms remain.
I'll follow ur instruction and will let u know tomorow.
0 Kudos
Steven E. Protter
Exalted Contributor

‎04-22-2006 11:26 PM

‎04-22-2006 11:26 PM

Re: Slave DNS server failed to access zone

Shalom,

You need to restart named

service named restart

All this data is cached in memory and you have to force the change.

Also may be needed to update the zone record serial number of the master of the domain.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Manuel Wolfshant
Trusted Contributor

‎04-23-2006 03:17 AM

‎04-23-2006 03:17 AM

Re: Slave DNS server failed to access zone

Dear gentlemen, please allow me two small corrections:

issue one: "allow update" placed in a zone definition on the master server would allow it to RETRIEVE the zone (actually to have it UPDATED) from the slave. this is NOT what you want. It is only useful for dynamic DNS updates, when a slave zone is modified and the master must be informed. What you would want would be allow-transfer, which allows the slave to issue the XFER command (aka transfer the entire zone at once, not just individual records, as allow-query permits)
Taking into account the message which started the thread, that is:
"April 22 18:13:13 ns1 named[2343]:client 192.168.0.8#1027: transfer of 'test.com/IN': AXFR started" it is obvious that this step has already been taken care of.
Mr. Protter's suggestion to explicitely allow zone transfers to those who should be allowed to do it and only allow queries to the rest of the world (denying AXFR) is excellent from a security point of view.
However, the error message is:
"April 22 18:13:13 ns2 named[2438]:dumping master file: tmp-XXXXo5lyZp: open: permission denied"
which clearly indicates a write permission error on the local filesystem. It has NOTHING to do with bind or zone settings.

issue two: no need to RESTART the server when you update a zone. The correct method is to use "rndc reload zone", or maybe "rndc reload" if you have several zones that need updates. Whenever you use restart, you loose ALL the cached data. Which might not be important for small servers but do impose a penalty on large servers.
0 Kudos
Maaz
Valued Contributor

‎04-23-2006 05:44 AM

‎04-23-2006 05:44 AM

Re: Slave DNS server failed to access zone

Thanks Mr Manuel Wolfshant for continous help and explanations... really nice explanations

Regards
Maaz
0 Kudos
Maaz
Valued Contributor

‎04-24-2006 07:25 AM

‎04-24-2006 07:25 AM

Re: Slave DNS server failed to access zone

On Master/Slave servers

# ls -l /var/named/chroot/
total 24
drwxrwxr-- 2 root named 4096 Dec 26 01:40 dev
drwxrwx--- 2 root named 4096 Dec 26 01:40 etc
drwxrwx--- 5 root named 4096 Dec 26 01:40 var

# ls -l /var/named/chroot/var/
total 24
drwxr-x--- 4 root named 4096 Apr 23 17:33 named
drwxrwx--- 3 root named 4096 Dec 26 01:40 run
drwxrwx--- 2 named named 4096 Mar 14 2003 tmp

# ls -ld /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

Regards
Maaz
0 Kudos
Manuel Wolfshant
Trusted Contributor

‎04-24-2006 09:26 AM

‎04-24-2006 09:26 AM

Solution

Re: Slave DNS server failed to access zone

Please be as kind as to edit the zone file on your slave and replace
type slave;
file "test.com.frwd";
with
type slave;
file "slaves/test.com.frwd";

For the moment you are trying to write the zone file in /var/named/chroot/var/named/ where named does not have write access.
0 Kudos
Maaz
Valued Contributor

‎04-25-2006 05:37 AM

‎04-25-2006 05:37 AM

Re: Slave DNS server failed to access zone

Dear Manuel Wolfshant Thanks for help/suport.

>For the moment you are trying to write the zone file >in /var/named/chroot/var/named/ where named does not have write access

then what should I do ?
Regards
Maaz
0 Kudos
Manuel Wolfshant
Trusted Contributor

‎04-25-2006 05:41 AM

‎04-25-2006 05:41 AM

Re: Slave DNS server failed to access zone

Please reread the begining of my previous reply
0 Kudos
Maaz
Valued Contributor

‎04-26-2006 05:40 AM

‎04-26-2006 05:40 AM

Re: Slave DNS server failed to access zone

Many Thanks Dear Mr Manuel Wolfshant for such nice help/support/explanations ;)

Thanks SEP for reply.

Regards
Maaz
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.