-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Curley wrote: >> That's one solution I found for someone having the same problem and >> it makes sense, as right now your secondary is trying to write the >> localdomain file to /var/named, which it won't have permission to >> write to by default. > > Well, it *should*. The files there are root:named. But that explains > it, doh. The files have permissions of -rw-r-----, so all I needed > to do was change that. The files have those permissions, but the directory itself isn't writable by named. > Is this a bug in bind, or rather in the bind RPM package? I'm > running this in the chroot jail provided by the bind-chroot package. Neither, AFAICT. It's by design. Slaves are meant to go in the slaves subdir, with is writable by named. This is for security. It limits the amount of damage someone can do with a bind exploit by limiting the permissions the named user/group has. (Not that bind has ever had remote exploits. ;) > This leaves one minor mystery: > > Jul 3 22:07:09 dragon named[15783]: running > Jul 3 22:07:09 dragon named[15783]: zone localdomain/IN: Transfer started. > Jul 3 22:07:09 dragon named[15783]: transfer of 'localdomain/IN' from 192.168.1.3#53: connected using 192.168.1.4#57114 > Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: transferred serial 2006070301 > Jul 3 22:07:10 dragon named[15783]: transfer of 'localdomain/IN' from 192.168.1.3#53: end of transfer > Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: sending notifies (serial 2006070301) > Jul 3 22:07:10 dragon named[15783]: client 192.168.1.4#32921: received notify for zone 'localdomain' > Jul 3 22:07:10 dragon named[15783]: zone localdomain/IN: refused notify from non-master: 192.168.1.4#32921 > > Well, of course it's refusing a notification from itself. I'm probably > leaving out an option to tell it not to notify anyone of the > change. Well, I'll track that one down later. I think you'll want to fiddle with the settings for notify and/or also-notify[1]: notify If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see the section called "Notify". The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option. If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent. The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash. It seems to me that if you set notify to no in the zone config for localdomain on the slave, that would prevent it from trying to notify itself. But I'm going on reading the manual, not on having done this within a reasonable period of time in the past. >> Relying on government to protect your privacy is like asking a peeping >> tom to install your window blinds. >> -- John Barlow, co-founder of EFF > > > Good one. From whom do they think I want to protect my privacy, > anyway. Yourself? Isn't that who the government is always protecting you from? [1] http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#boolean_options - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== I have to decide between two equally frightening options. If I wanted to do that, I'd vote. -- Duckman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSp+LsmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1r4+gCglCHE1QtFDzq/sR1wZRrkgs3f19sAoIRgeRgC vVxyqlmqQc7Vf+BC8xgC =/CPI -----END PGP SIGNATURE-----