Need help with bind9, permission denied

[mixwe]

Hi all,
I'm installing a ubuntu 12.04 server in a test environement for DHCP and DNS purpose.
I've succesfull installed dhcp3-server ant it works.
after this I installed bind9 and dnsutils.
in the next steps I created the rndc.key file and used it in the named.conf.local file using

Code:

include "/etc/bind/rndc.key";

I followed examples on a tutorial page to configure the other settings in named.conf.local, med.conf.options, med.conf.default-zones.

The /etc/bind directory and its content have permissions 644 root:bind

Now the problem starts when I want to start the bind9 service.
when I run sudo service bind9 restart I get following error:

Code:

 * Stopping domain name service... bind9                                                                                                                   WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
rndc: connect failed: 127.0.0.1#953: connection refused
                                                                                                                                                    [ OK ]
 * Starting domain name service... bind9                                                                                                            [fail]

when I look at /var/log/syslog I find following message:

Code:

Nov 13 08:47:54 Arwen named[16605]: starting BIND 9.8.1-P1 -u bind
Nov 13 08:47:54 Arwen named[16605]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
Nov 13 08:47:54 Arwen named[16605]: adjusted limit on open files from 4096 to 1048576
Nov 13 08:47:54 Arwen named[16605]: found 1 CPU, using 1 worker thread
Nov 13 08:47:54 Arwen named[16605]: using up to 4096 sockets
Nov 13 08:47:54 Arwen named[16605]: loading configuration from '/etc/bind/named.conf'
Nov 13 08:47:54 Arwen named[16605]: none:0: open: /etc/bind/named.conf: permission denied
Nov 13 08:47:54 Arwen named[16605]: loading configuration: permission denied
Nov 13 08:47:54 Arwen named[16605]: exiting (due to fatal error)

I'm now confused if it is a permission issue or an rndc issue.
Please help me.

[Doug S]

Perhaps try to separate the variables. I mean, first try to get everything working without rndc, and then, if you really need it, add rndc in later as a single change to something that is already working. (I don't use rndc on my server.)

[SeijiSensei]

Apparently BIND does not think it has the permissions you think it has. The syslog error reads: "/etc/bind/named.conf: permission denied" so BIND cannot read the named.conf file.

I agree with only adding rndc after you have gotten everything else working. I do not use rndc on my two public DNS servers either.

[mixwe]

Thanks for reply,
After your answer I tried to remove the include rndc from the config file. but nothings changed.
I recieve the same error messages as before. Then I tried to rename the rndc.key file and here is the output after restarting bind9

Code:

 * Stopping domain name service... bind9        
rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found

How can I use bind without rndc?

For permissions issues how can I verify with which user will bind run and how can I test if there are the correct permissions?

the permissions now looks so:

Code:

-rw-r--r-- 1 root bind 2389 Oct  9 15:06 bind.keys
-rw-r--r-- 1 root bind  237 Oct  9 15:06 db.0
-rw-r--r-- 1 root bind  271 Oct  9 15:06 db.127
-rw-r--r-- 1 root bind  423 Nov  8 16:13 db.172.20.100
-rw-r--r-- 1 root bind  237 Oct  9 15:06 db.255
-rw-r--r-- 1 root bind  353 Oct  9 15:06 db.empty
-rw-r--r-- 1 root bind  270 Oct  9 15:06 db.local
-rw-r--r-- 1 root bind  565 Nov  8 16:08 db.middle-earth.local
-rw-r--r-- 1 root bind 2994 Oct  9 15:06 db.root
-rw-r--r-- 1 root bind  707 Nov 14 15:49 named.conf
-rw-r--r-- 1 root bind  490 Oct  9 15:06 named.conf.default-zones
-rw-r--r-- 1 root bind  685 Nov 14 15:40 named.conf.local
-rw-r--r-- 1 root bind  369 Nov 12 15:50 named.conf.options
-rw-r--r-- 1 root bind   77 Nov 14 15:10 rndc.key.tmp
-rw-r--r-- 1 root bind 1317 Oct  9 15:06 zones.rfc1918

I assume that bind9 runs with user bind that is member of the group bind. In this case the permissions seems correct.

[Doug S]

I do have the default rndc.key file, which perhaps still has to be present, but I don't use rndc. My persmissions are a little different than yours:

Code:

doug@doug-64:~$ ls -l /etc/bind
total 60
-rw-r--r-- 1 root root 2389 Jul 25 14:35 bind.keys
-rw-r--r-- 1 root root  237 Jul 25 14:35 db.0
-rw-r--r-- 1 root root  271 Jul 25 14:35 db.127
-r--r--r-- 1 root bind  933 Oct 12 10:37 db.192
-rw-r--r-- 1 root root  237 Jul 25 14:35 db.255
-rw-r--r-- 1 root root  353 Jul 25 14:35 db.empty
-rw-r--r-- 1 root root  270 Jul 25 14:35 db.local
-rw-r--r-- 1 root root 2994 Jul 25 14:35 db.root
-r--r--r-- 1 root bind  984 Oct 12 10:37 db.smythies.com
-rw-r--r-- 1 root bind  463 Jul 25 14:35 named.conf
-rw-r--r-- 1 root bind  490 Jul 25 14:35 named.conf.default-zones
-rw-r--r-- 1 root bind 3538 Oct 12 10:38 named.conf.local
-rw-r--r-- 1 root bind  762 Oct 12 11:11 named.conf.options
-rw-r----- 1 bind bind   77 Oct 12 09:29 rndc.key
-rw-r--r-- 1 root root 1317 Jul 25 14:35 zones.rfc1918

Although named.conf is the same.
I tried a restart ( output edited to fit ):

Code:

doug@doug-64:~$ sudo service bind9 restart
[sudo] password for doug:
 * Stopping domain name service... bind9
waiting for pid 1121 to die
[ OK ]
 * Starting domain name service... bind9
[ OK ]
doug@doug-64:~$

[mixwe]

hello Doug,
it seems that your permissions are more restrictive than mine... I think it should not hang on permissions related issues in this folder.

Altough to continue testing I would like to start bind without rndc, but I really don't know how...