Re: Dynamic DNS and failed journal

[Paul Howarth <paul@xxxxxxxxxxxx>]

Tim wrote:
> Tim:
> > > It (updating master records) certainly works in FC4, though I've set
> > > SELinux options to allow named to overwrite master zone files.
>
> Paul Howarth:
> > It can't create new files such as journal files in 
> > /var/named/chroot/var/named though, as that's only writeable by root.
>
> A bit of an oops with my prior post.  I looked at the wrong server (one
> of the slaves).  This is my master server (on FC4, mind you):
>
> ll /var/named/chroot/var/named/ -d
> drwxr-x---  6 named named 4096 Jul 31 19:14 /var/named/chroot/var/named/
>
> My master DNS server can write its master records, and journal files, as
> directed to by the DHCP server.

You must have changed the ownership/permissions then. The 
bind-chroot-9.3.1-20.FC4 package has:

drwxr-x---    2 root    named               0 Mar 31 01:01 /var/named/chroot
drwxr-x---    2 root    named               0 Mar 31 01:01 
/var/named/chroot/dev
drwxr-x---    2 root    named               0 Mar 31 01:01 
/var/named/chroot/etc
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var
drwxr-x---    2 root    named               0 Aug 25  2004 
/var/named/chroot/var/named
drwxrwx---    2 named   named               0 Aug 25  2004 
/var/named/chroot/var/named/data
drwxrwx---    2 named   named               0 Jul 27  2004 
/var/named/chroot/var/named/slaves
drwxrwx---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var/run
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/run/named
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/tmp

So /var/named/chroot/var/named is owned by root, not named. Mind you, 
it's writeable by group named. This is not the case in 
bind-chroot-9.3.2-20.FC5, which has:

drwxr-x---    2 root    named               0 Apr 19 15:12 /var/named/chroot
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/dev
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/etc
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var
drwxr-x---    2 root    named               0 Apr 19 15:12 
/var/named/chroot/var/named
drwxrwx---    2 named   named               0 Aug 25  2004 
/var/named/chroot/var/named/data
drwxrwx---    2 named   named               0 Jul 27  2004 
/var/named/chroot/var/named/slaves
drwxr-x---    2 root    named               0 Mar 13  2003 
/var/named/chroot/var/run
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/run/named
drwxrwx---    2 named   named               0 Mar 13  2003 
/var/named/chroot/var/tmp

Which has /var/named/chroot/var/named not writeable by group named.

> > There's also SELinux to consider - see:
> > http://www.isc.org/index.pl?/sw/bind/FAQ.php (search for "journal" on 
> > that page)
>
> Mine's been sitting on permissive for a long time, and is allowed to
> write to master files.  I should switch back to enforcing and retest.
>
> > I agree that using the "slaves" directory for this seems wrong; the 
> > "data" directory would be better, and should also work OK.
>
> Not sure that I've come across an explanation for what the data
> directory is there for.

I'd wager it's there especially for DDNS users :-)

Paul.