BIND9/Troubleshooting

Aus Foxwiki

Bind9 Master Slave replication: Zone transfer not working

  • On a Bind master server, it is pretty much "standard" to run everything within /etc/bind.
  • As this is a master DNS server, the zone files are usually updated manually.
  • But if you run a master-slave-replication, do not use the same directory structure on the slave!

By troubleshooting a case, where the replication did not work and the zone files were not created on the slave server, I came across the following error message in syslog on the slave: 

named[318]: client 10.10.44.67#7865: received notify for zone 'example.com'
named[318]: zone example.com/IN: Transfer started.
named[318]: transfer of 'example.com/IN' from 10.10.44.67#53: connected using 10.10.44.68#33813
named[318]: zone example.com/IN: transferred serial 2014090801
named[318]: transfer of 'example.com/IN' from 10.10.44.67#53: Transfer completed: 1 messages, 33 records, 1170 bytes, 0.001 secs (1170000 bytes/sec)
named[318]: zone example.com/IN: sending notifies (serial 2014090801)
named[318]: dumping master file: /etc/bind/zones/tmp-kP27d0CASU: open: permission denied
kernel: type=1400 audit(1410164178.794:90): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/zones/tmp-kP27d0CASU" pid=319 comm="named" requested_mask="c" denied_mask="c" fsuid=111 ouid=111
audit:  type=1400 audit(1575835512.723:69): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/slave/tmp-cBkaqhFqRy" pid=15305 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=116 ouid=116
  • The master sends the notify for the zone and the slave receives the notify and the transfer is initiated.
  • But when the slave tries to create the zonefile in /etc/bind/zones, a permission denied error arises.
  • One line further the "blocker" is identified: apparmor.

In the apparmor profile for /usr/sbin/named (/etc/apparmor.d/usr.sbin.named) does not allow the bind process to write anything into /etc/bind/: 

 # /etc/bind should be read-only for bind
 # /var/lib/bind is for dynamically updated zone (and journal) files.
 # /var/cache/bind is for slave/stub data, since we're not the origin of it.
 # See /usr/share/doc/bind9/README.Debian.gz
 /etc/bind/** r,
 /var/lib/bind/** rw,
 /var/lib/bind/ rw,
 /var/cache/bind/** lrw,
 /var/cache/bind/ rw,

Solution

Use /var/lib/bind/(zones) as path for the zone files, which are dynamically created through the master-slave replication.

Abgerufen von „https://wiki.foxtom.de/index.php?title=BIND9/Troubleshooting&oldid=7351