Monday, January 24, 2011

a bind slave configuration on ubuntu is sometimes vexing

while installing a slave dns server with bind on an ubuntu box, i found that the slave zone would not synchronize. logs are your friends. in /var/log/daemon.log , I saw the following:
named[4402]: dumping master file: /etc/bind/tmp-xxxxxxx: open: permission denied
named[4402]: transfer of 'www.xxx.yyy.zzz/IN' from master#53: failed while receiving responses: permission denied
it appears that named was unable to write to /etc/bind/ .
after some digging and using strace, i discovered that ubuntu is shipped with slave zone files residing here:
/var/cache/bind/
in /etc/bind/named.conf the zone definition ought to have the following format:
zone "mydomain.com" IN {
        type slave;
        file "/var/cache/bind/db.mydomain.com";
        masters { www.xxx.yyy.zzz; };
};
(or no path to the file)

and have the correct permissions:
# chown -R bind:bind /var/cache/bind/
# chmod -R g+w /var/cache/bind/
bind also needs permissions to write to various zone files, in:
/etc/default/bind9
add:  ENABLE_ZONE_WRITE=yes
however, my slave zone would still not synchronize. this was due to apparmor (sure, i knew that); edit:
/etc/apparmor.d/usr.sbin.named 

change: /etc/bind/** r,
to: /etc/bind/** rw,
some other excitement is to actually resolve things on the localhost.
/etc/network/interfaces

add:
dns-nameservers 127.0.0.1

and in /etc/bind/named.conf.options include the following stanza:
        forwarders {
                8.8.8.8; <- our friend google for ext lookups
                8.8.8.4; <- our friend google for ext lookups
                10.6.6.6; <- an internal server for internal lookups
        };

No comments: