While installing a slave dns server with bind, I went into trouble. I could not understand why my slave zone would not synchronize. Actually I found these entries in /var/log/daemon.log:
named[24309]: dumping master file: /etc/bind/tmp-b0KyuKU5pG: open: permission denied
named[24309]: transfer of 'domain.com/IN' from w.x.y.z#53: failed while receiving responses: permission denied
It appears that since hardy, ubuntu doesn’t allow the named process to write in /etc/bind/ while it’s running.
Ubuntu is configured to allow slave zone to stay in /var/cache/bind/db.domain.com
So your slave zone will look like:
zone "domain.com" IN {
type slave;
file "/var/cache/bind/db.domain.com";
masters { w.x.y.z; };
};
For the details, it’s due to apparmor, and precisely the file /etc/apparmor.d/usr.sbin.named.
As shipped with ubuntu, this file contains the authorizations for the named process that restricts where bind can write its zones, and reserves /var/cache/bind/ as the directory where bind is supposed to put its slave zones.
This seems to me technically good because /etc is pretty much supposed to be “read-only able” (beside /etc/mtab and /etc/resolv.conf that you can put in /dev/shm or link from /var/etc). This makes me wonder where to put master zones that you want to change ? Probably in /var/lib/bind because it’s where dynamically updated zone are.
sismon said
Wow !!
Nice one thanks for this usefull hints !! Have looking forward to solve this the whole afternoon….
Diego said
Remova o programa apparmor
apt-get remove apparmor
Reinicie o named(bind) que irá funcionar normalmente!
subagja said
wow, i had 3 day looking for solution, many thanks.