Re: Bind Zone Transfer Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 04, 2006 at 01:12:28AM -0400, Todd Zullinger wrote:
> Charles Curley wrote:
> >> That's one solution I found for someone having the same problem and
> >> it makes sense, as right now your secondary is trying to write the
> >> localdomain file to /var/named, which it won't have permission to
> >> write to by default.
> > 
> > Well, it *should*. The files there are root:named. But that explains
> > it, doh. The files have permissions of -rw-r-----, so all I needed
> > to do was change that.
> 
> The files have those permissions, but the directory itself isn't
> writable by named.
> 
> > Is this a bug in bind, or rather in the bind RPM package? I'm
> > running this in the chroot jail provided by the bind-chroot package.
> 
> Neither, AFAICT.  It's by design.  Slaves are meant to go in the
> slaves subdir, with is writable by named.  This is for security.  It
> limits the amount of damage someone can do with a bind exploit by
> limiting the permissions the named user/group has.  (Not that bind has
> ever had remote exploits. ;)

Good enough.


> 
> I think you'll want to fiddle with the settings for notify and/or
> also-notify[1]:

> 
> It seems to me that if you set notify to no in the zone config for
> localdomain on the slave, that would prevent it from trying to notify
> itself.  But I'm going on reading the manual, not on having done this
> within a reasonable period of time in the past.

Yep. In the options stanza, I added "notify no;" and the error message
went away.

> 
> >> Relying on government to protect your privacy is like asking a peeping
> >> tom to install your window blinds.
> >>     -- John Barlow, co-founder of EFF
> > 
> > 
> > Good one. From whom do they think I want to protect my privacy,
> > anyway.
> 
> Yourself?  Isn't that who the government is always protecting you
> from?

Oh, yeah, thanks. I had forgotten how noble and selfless our lords and
masters are.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB

Attachment: pgpIrBOpBpoOb.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux