Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

2015-09-28 Thread Gordon Lang 
Here are the non-comment lines of /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=targeted


The /var/log/audit/audit.log has a lot of lines that look like the same
thing over and over.  I don't have audit2allow, so here it is raw (with
some line breaks):

type=SYSCALL msg=audit(1443475664.001:786107): arch=c03e syscall=82
success=yes
exit=0 a0=7f8e9d5affd8 a1=7f8e9cc81fe8 a2=7f8e98452b30 a3=0 items=5
ppid=1 pid=3873
auid=7202 uid=2076 gid=30046 euid=2076 suid=2076 fsuid=2076 egid=30046
sgid=30046
fsgid=30046 tty=(none) ses=13948 comm="named"
exe="/export/local/ISC/bind-9.10.3/sbin/named"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"


I built the code with autoconf as follows:
./configure --prefix=/export/local/ISC/bind-9.10.3
make
make install
cd /export/local/ISC/bind-9.10.3/sbin
chown root named
chmod g-w named
chmod u+s named


On Sun, Sep 27, 2015 at 8:54 PM, Carl Byington  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Sun, 2015-09-27 at 15:31 -0400, Gordon Lang wrote:
>
> > > It works fine with BIND 9.9.3 but not 9.10.3 on the same server.
>
> Since this is rhel6, I presume you are running with selinux:
>
> cat /etc/selinux/config
>
> grep named /var/log/audit/audit.log | audit2allow
>
> How did you do the build of 9.10.3 on rhel6? Did you build rpms from a
> .spec file, or just a raw autoconf (./configure;make;make install)
> build?
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlYIj6AACgkQL6j7milTFsHcnACfUk+MZP5OaFV3h9PJzXye4dam
> neQAn1+NLhqFH7gPZanWaAAXeb2ZptJk
> =zpxb
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

--
Gordon A. Lang
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"managed-keys-directory" option seems to beignored since BIND 9.10.3.

2015-09-28 Thread SASAKI Katuhiro 
Hi.

After I upgraded from 9.10.2p4 to 9.10.3, "managed-keys-directory"
option seems to be ignored.

I wrote named.conf as following.
> options {
>   # set some pathes.
>   directory "/usr/local/etc/namedb";
> ...
>   managed-keys-directory "/usr/local/etc/namedb/managed";
> ...

After upgrading, the following error message came to be seen.
> ...
> Sep 27 12:06:28 host.name named[826]: the working directory is
> not writable
> Sep 27 12:06:28 host.name named[826]: general: error: 
> file_name_of_mkeys.mkeys.jnl: create: permission denied
> ...
And, files in "/usr/local/etc/namedb/managed" (it is appointed by
"managed-keys-directory") are not updated.
After having been troubled for a while, I changed permission on main
config directory as next and reconfig.
% sudo chown bind:bind /usr/local/etc/namedb
% rndc reconfig
Aftre the work above, errors shown above was not given, but
file_name_of_mkeys.mkeys and file_name_of_mkeys.mkeys.jnl are appears
in main config directory.
I suspect some code changes in 9.10.3 (from 9.10.2p4) breaks
managed-keys-directory.

Thank you for reading my broken English.


-- 
 SASAKI Katuhiro

 mailto: cr...@sahiro.org


pgpIWMTy7ydIm.pgp
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SRV Request to DNS

2015-09-28 Thread Harshith Mulky 
Hi all,

I had a query

Let us say we are having a FQDN and we need to Resolve it. It goes through the 
procedure of determining the IP and Port using NAPTR/SRV/A query mechanisms

The question I have is if I have a FQDN with a Port Number already determined, 
will it go through the Procedure of NAPTR/SRV/A query (or) simply do a A query 
(or) Is this left to the client to apply the Logic?

Thanks
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users