Alan, Tony, Rod,
I know I tested the daemon allowing it to create the jnl file, but I have
removed it and much to my surprise the zone loaded.
I removed the trailing dot, syntax now matches my other zones, though the
example I'd followed had stated it was necessary (I had not understood why) I
have removed it.
The zone now loads, however when I use nsupdate (I thought a reasonable test
prior to complicating things with DHCP), I still get the SERVFAIL error and the
named log shows
Error: db.dynamic.jnl: create: permission denied
Protections for the /etc/dns-root (vs my /etc/dns-source directory, where I
make and attempt to verify changes on my production system, dns-source/ unused
on this newly installed test server) included in prior email.
The protection mask on /etc/dns-root is (skipping time stamp, etc)
drwxrwxr-x. named named /etc/dns-root
Just to make sure
# getfacl /etc/dns-root
(pardon capitalization, I have a _very_ helpful mail interface...)
#file: /etc/dns-root
# owner: named
# group: named
User:: rwx
Group::rwx
Other:r-x
And for good measure
# lsattr -d /etc/dns-root
-------------- /etc/dns-root
The problem has been moved down stream but not resolved.
Will talk with my manager about the query-source address issue, don't recall if
he'd mandated this, or it's a holdover from an earlier config. It is not a
setting in the example config that installed with the package.
Thank you,
Brian
-----Original Message-----
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg
Sent: Thursday, January 29, 2015 10:25 AM
To: bind-users@lists.isc.org
Subject: Re: problem loading dynamic zone
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Other people have taken on the question in the Subject: line, so I'll go off on
a different tact and request that you remove the line:
> query-source address * port 53;
from your configuration, and if it part of a distribution's named.conf,
consider opening a bug ticket with that distribution and having them remove it
from their examples.
By removing the randomization from the query port, you are opening yourself to
all types of mischief by those familiar with the Kaminsky vulnerability. If
you aren't familiar with it yourself, here's a guide containing 27 8×10 color
glossy pictures with circles and arrows and a paragraph on the back of each one
explaining what each one was to be used as evidence against us...
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
[And as a side note, the missing dot at the end of the Zone statement is not
the problem]
AlanC
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUylCvAAoJEOW2o5eiJADbIvMH+wSNkQQW0cSJ4JdfexeQ6+rR
dnLX7nZzVtj1HKTKNUDE4MxbQRIziT1/pxY8T8EObIqN3V63hk7nwQARYJd1ogCA
pzsnoTdmXiG3ZfhulJdxZf5ZF4EdzAtAQlJ86L4LHcZYhmGn6aqbEOzKkXTa+VYW
1lojWh0cnlgBh9nC1FswYUuQxLPvaLwXhhRDVrX66PmFiCUDQgnZvFCbgoC83JHl
dSjJFeDkVhqkZq+Q5tbh871OAAbcpNx38mKXI6Y0rzN1hIkqyLLq3B7YCqNxGi1G
WzgmhwMdEr3fBAjZtFcj8KZrSQHqFGKdM9YZR3qfkzp/ALMTvRnhnx+3MF8oKTM=
=VcMU
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
