ubuntu and bind acting as slave

While installing a slave dns server with bind, I went into trouble. I could not understand why my slave zone would not synchronize. Actually I found these entries in /var/log/daemon.log:

named[24309]: dumping master file: /etc/bind/tmp-b0KyuKU5pG: open: permission denied
named[24309]: transfer of 'domain.com/IN' from w.x.y.z#53: failed while receiving responses: permission denied

It appears that since hardy, ubuntu doesn’t allow the named process to write in /etc/bind/ while it’s running.
Ubuntu is configured to allow slave zone to stay in /var/cache/bind/db.domain.com

So your slave zone will look like:

zone "domain.com" IN {
        type slave;
        file "/var/cache/bind/db.domain.com";
        masters { w.x.y.z; };
};

For the details, it’s due to apparmor, and precisely the file /etc/apparmor.d/usr.sbin.named.
As shipped with ubuntu, this file contains the authorizations for the named process that restricts where bind can write its zones, and reserves /var/cache/bind/ as the directory where bind is supposed to put its slave zones.
This seems to me technically good because /etc is pretty much supposed to be “read-only able” (beside /etc/mtab and /etc/resolv.conf that you can put in /dev/shm or link from /var/etc). This makes me wonder where to put master zones that you want to change ? Probably in /var/lib/bind because it’s where dynamically updated zone are.

Advertisements

3 Comments »

  1. sismon said

    Wow !!

    Nice one thanks for this usefull hints !! Have looking forward to solve this the whole afternoon….

  2. Diego said

    Remova o programa apparmor
    apt-get remove apparmor
    Reinicie o named(bind) que irá funcionar normalmente!

  3. subagja said

    wow, i had 3 day looking for solution, many thanks.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: