Hello,
Setup bind-9.9.2-P2 on a solaris 10 system using zones (an oracle
implementation of OS virtualization), with a dns data/configuration zone and a
dns zone. The dns data zone is on a private network and has the dns data
tables for bind (directory where data files stored in named.conf options area),
the bind installation, and bind configuration file, named.conf. The dns zone
is on the internet routable public network, and has the dns data, bind
installation, and bind configuration file available to it in a read only file
system. Figured that since we have successfully run earlier versions of bind
on dns servers with the data directory and data files as read only to the
userid bind runs as, this would also work, and provide the added benefit of
preventing the OS of the zone running bind on the public network from being
able modify the data area at all.
The dns server using this configuration seems to be running fine, but each time
bind re-reads the named.conf file these messages appear in named.log :
28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded
28-Aug-2013 12:12:37.572 general: notice: all zones loaded
28-Aug-2013 12:12:37.573 general: notice: running
28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error:
28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result:
30: Read-only file system
28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error:
28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result:
30: Read-only file system
Is this error something to be worried about, or is it more of an info message?
Also, is much even gained security wise by disallowing the OS to write to the
dns data area? This particular error can be fixed by separating the dns
data directory from the bind configuration and bind installation, and putting
it on a writable file system for the public dns zone, but if the above error is
only a warning thinking of keeping the data as read only also. Any suggestions
are appreciated.
Thanks
*****The content of this message is my personal opinion only, and should not be
construed as anything that has been through rigorous scrutiny of the
professional groups who devote their life and work to the topics being
discussed********
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
