2

System: Ubuntu 16.04.3 LTS

Synopsis:

#chmod 777 /etc/bind/slave
#chmod 777 /etc/bind
#service bind9 restart
#tail /var/log/syslog | grep dump                                                                                       
Aug 23 07:14:45 appserver named[25251]: dumping master file: /etc/bind/slave/tmp-IDIdwXAG2I: open: permission denied

What is happening here???

nagylzs
  • 657
  • 2
  • 8
  • 21
  • This question is related and the solution is the same: https://askubuntu.com/questions/926113/zone-afxr-fails-on-permission-error-dumping-master-file-etc-bind-zones-tmp-y – estibordo Sep 27 '18 at 18:18

2 Answers2

4

What's happening is that the named process is unable to create a file in the /etc/bind/slave/ directory.

First of all /etc is really a rather unorthodox location for regular services to have write access.
Normally you would use a directory under /var/lib or /var/cache depending on the type of data.

Regarding why your extremely liberal permissions (not at all a good idea) do not help, I would guess Apparmor (more likely for Ubuntu) or SELinux has a profile for BIND which is based around reasonable assumptions (see above) for which file paths need to be writable by named. This applies in addition to filesystem permissions.

I would suggest that you simply move the writable files to a more sane location.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • The very same config was working some months ago. I didn't touch it. By the way, of course I did not have 777 permission on /etc - I just wanted to try this before I post a question here. – nagylzs Aug 23 '17 at 05:33
  • @nagylzs Check your logs, I'm guessing Apparmor is yelling at you for trying to do things that are disallowed. Either way, I would suggest doing things right instead of persisting with this bad idea. – Håkan Lindqvist Aug 23 '17 at 05:38
  • Yes, that was it. After adding /etc/bind/slave rw and reloading the profile, it started to work. I agree - these files should not go under /etc/bind. But this was the default config given by the VPS provider, and already had some files in it. I guess having a writable DNS slave dir is fine. – nagylzs Aug 23 '17 at 05:41
1

The answer above just well explained the cause. There is a relative path defined in /etc/bind/named.conf.options, which is directory "/var/cache/bind.

So what I suggest to do is store your slave zone fiels to a more sane directory which is defined in your named.conf.local file, and give the ownership of the directory to bind group or give the write permission to bind group,

like:

mkdir /var/cache/bind/slaves
chown bind:bind /var/cache/bind/slaves
Yang Yong
  • 11
  • 1