Re: Problem with RELENG_5_3, BIND9 and dynamic updates

From: Doug Barton <DougB_at_dougbarton.net> Date: Wed, 03 Nov 2004 12:53:58 -0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:21 UTC

Gregory Neil Shapiro wrote:

>>It looks like BIND9, as delivered in the base, has problems when zones 
>>are using dynamic DNS updates.
>>
>>This is because it runs as user "bind", but that user doesn't have write 
>>access to /var/named/etc/namedb/master - the script /etc/rc.d/named uses 
>>mtree to set that directory as follows:
>>
>>Nov  2 22:40:31 vimes kernel: Nov  2 22:40:31 vimes named[98525]: 
>>master/aminor.no.zone.jnl: create: permission denied
> 
> 
> Perhaps this patch will help:
> 
> Index: mtree/BIND.chroot.dist
> ===================================================================
> RCS file: /src/FreeBSD/ncvs/src/etc/mtree/BIND.chroot.dist,v
> retrieving revision 1.5
> diff -u -r1.5 BIND.chroot.dist
> --- mtree/BIND.chroot.dist	29 Sep 2004 03:43:10 -0000	1.5
> +++ mtree/BIND.chroot.dist	3 Nov 2004 18:45:06 -0000
> _at__at_ -9,6 +9,8 _at__at_
>      ..
>      etc
>          namedb
> +            dynamic uname=bind
> +            ..
>              master
>              ..
>              slave   uname=bind
> Index: namedb/named.conf
> ===================================================================
> RCS file: /src/FreeBSD/ncvs/src/etc/namedb/named.conf,v
> retrieving revision 1.19
> diff -u -r1.19 named.conf
> --- namedb/named.conf	30 Sep 2004 09:57:36 -0000	1.19
> +++ namedb/named.conf	3 Nov 2004 18:48:06 -0000
> _at__at_ -102,6 +102,22 _at__at_
>  	};
>  };
>  
> +// An example dynamic zone
> +key "exampleorgkey"
> +{
> +        algorithm hmac-md5;
> +        secret "sf87HJqjkqh8ac87a02lla==";
> +};
> +
> +zone "example.org" {
> +	type master;
> +	allow-update
> +	{
> +		key "exampleorgkey";
> +	};
> +	file "dynamic/example.org";
> +};
> +
>  zone "0.168.192.in-addr.arpa" {
>  	type slave;
>  	file "slave/0.168.192.in-addr.arpa";
> 

Greg, that is the direction I was thinking on this, yes. The only minor
nit I'd do differently is to move the { for allow-update up to the same
line for style consistency reasons.

Feel free to commit this to HEAD if you like, otherwise I'll get to this
asap.

Thanks,

Doug

-- 
    If you're never wrong, you're not trying hard enough