Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Need help with bind9, permission denied

  1. #1
    Join Date
    Nov 2012
    Beans
    10

    Lightbulb Need help with bind9, permission denied

    Hi all,
    I'm installing a ubuntu 12.04 server in a test environement for DHCP and DNS purpose.
    I've succesfull installed dhcp3-server ant it works.
    after this I installed bind9 and dnsutils.
    in the next steps I created the rndc.key file and used it in the named.conf.local file using
    Code:
    include "/etc/bind/rndc.key";
    I followed examples on a tutorial page to configure the other settings in named.conf.local, med.conf.options, med.conf.default-zones.

    The /etc/bind directory and its content have permissions 644 root:bind

    Now the problem starts when I want to start the bind9 service.
    when I run sudo service bind9 restart I get following error:
    Code:
     * Stopping domain name service... bind9                                                                                                                   WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
    rndc: connect failed: 127.0.0.1#953: connection refused
                                                                                                                                                        [ OK ]
     * Starting domain name service... bind9                                                                                                            [fail]
    when I look at /var/log/syslog I find following message:
    Code:
    Nov 13 08:47:54 Arwen named[16605]: starting BIND 9.8.1-P1 -u bind
    Nov 13 08:47:54 Arwen named[16605]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
    Nov 13 08:47:54 Arwen named[16605]: adjusted limit on open files from 4096 to 1048576
    Nov 13 08:47:54 Arwen named[16605]: found 1 CPU, using 1 worker thread
    Nov 13 08:47:54 Arwen named[16605]: using up to 4096 sockets
    Nov 13 08:47:54 Arwen named[16605]: loading configuration from '/etc/bind/named.conf'
    Nov 13 08:47:54 Arwen named[16605]: none:0: open: /etc/bind/named.conf: permission denied
    Nov 13 08:47:54 Arwen named[16605]: loading configuration: permission denied
    Nov 13 08:47:54 Arwen named[16605]: exiting (due to fatal error)
    I'm now confused if it is a permission issue or an rndc issue.
    Please help me.

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: Need help with bind9, permission denied

    Perhaps try to separate the variables. I mean, first try to get everything working without rndc, and then, if you really need it, add rndc in later as a single change to something that is already working. (I don't use rndc on my server.)

  3. #3
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Need help with bind9, permission denied

    Apparently BIND does not think it has the permissions you think it has. The syslog error reads: "/etc/bind/named.conf: permission denied" so BIND cannot read the named.conf file.

    I agree with only adding rndc after you have gotten everything else working. I do not use rndc on my two public DNS servers either.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Nov 2012
    Beans
    10

    Re: Need help with bind9, permission denied

    Thanks for reply,
    After your answer I tried to remove the include rndc from the config file. but nothings changed.
    I recieve the same error messages as before. Then I tried to rename the rndc.key file and here is the output after restarting bind9
    Code:
     * Stopping domain name service... bind9        
    rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found
    How can I use bind without rndc?

    For permissions issues how can I verify with which user will bind run and how can I test if there are the correct permissions?

    the permissions now looks so:
    Code:
    -rw-r--r-- 1 root bind 2389 Oct  9 15:06 bind.keys
    -rw-r--r-- 1 root bind  237 Oct  9 15:06 db.0
    -rw-r--r-- 1 root bind  271 Oct  9 15:06 db.127
    -rw-r--r-- 1 root bind  423 Nov  8 16:13 db.172.20.100
    -rw-r--r-- 1 root bind  237 Oct  9 15:06 db.255
    -rw-r--r-- 1 root bind  353 Oct  9 15:06 db.empty
    -rw-r--r-- 1 root bind  270 Oct  9 15:06 db.local
    -rw-r--r-- 1 root bind  565 Nov  8 16:08 db.middle-earth.local
    -rw-r--r-- 1 root bind 2994 Oct  9 15:06 db.root
    -rw-r--r-- 1 root bind  707 Nov 14 15:49 named.conf
    -rw-r--r-- 1 root bind  490 Oct  9 15:06 named.conf.default-zones
    -rw-r--r-- 1 root bind  685 Nov 14 15:40 named.conf.local
    -rw-r--r-- 1 root bind  369 Nov 12 15:50 named.conf.options
    -rw-r--r-- 1 root bind   77 Nov 14 15:10 rndc.key.tmp
    -rw-r--r-- 1 root bind 1317 Oct  9 15:06 zones.rfc1918
    I assume that bind9 runs with user bind that is member of the group bind. In this case the permissions seems correct.

  5. #5
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: Need help with bind9, permission denied

    I do have the default rndc.key file, which perhaps still has to be present, but I don't use rndc. My persmissions are a little different than yours:
    Code:
    doug@doug-64:~$ ls -l /etc/bind
    total 60
    -rw-r--r-- 1 root root 2389 Jul 25 14:35 bind.keys
    -rw-r--r-- 1 root root  237 Jul 25 14:35 db.0
    -rw-r--r-- 1 root root  271 Jul 25 14:35 db.127
    -r--r--r-- 1 root bind  933 Oct 12 10:37 db.192
    -rw-r--r-- 1 root root  237 Jul 25 14:35 db.255
    -rw-r--r-- 1 root root  353 Jul 25 14:35 db.empty
    -rw-r--r-- 1 root root  270 Jul 25 14:35 db.local
    -rw-r--r-- 1 root root 2994 Jul 25 14:35 db.root
    -r--r--r-- 1 root bind  984 Oct 12 10:37 db.smythies.com
    -rw-r--r-- 1 root bind  463 Jul 25 14:35 named.conf
    -rw-r--r-- 1 root bind  490 Jul 25 14:35 named.conf.default-zones
    -rw-r--r-- 1 root bind 3538 Oct 12 10:38 named.conf.local
    -rw-r--r-- 1 root bind  762 Oct 12 11:11 named.conf.options
    -rw-r----- 1 bind bind   77 Oct 12 09:29 rndc.key
    -rw-r--r-- 1 root root 1317 Jul 25 14:35 zones.rfc1918
    Although named.conf is the same.
    I tried a restart ( output edited to fit ):
    Code:
    doug@doug-64:~$ sudo service bind9 restart
    [sudo] password for doug:
     * Stopping domain name service... bind9
    waiting for pid 1121 to die
    [ OK ]
     * Starting domain name service... bind9
    [ OK ]
    doug@doug-64:~$
    Last edited by Doug S; November 14th, 2012 at 04:56 PM. Reason: added restart stuff

  6. #6
    Join Date
    Nov 2012
    Beans
    10

    Re: Need help with bind9, permission denied

    hello Doug,
    it seems that your permissions are more restrictive than mine... I think it should not hang on permissions related issues in this folder.

    Altough to continue testing I would like to start bind without rndc, but I really don't know how...

  7. #7
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: Need help with bind9, permission denied

    Wouldn't you just take out the line you said you added back in post #1?:
    Code:
    include "/etc/bind/rndc.key";
    Although I do observe lo listening on port 953 on my system.
    I agree about the permissions. I wonder if you have dnsmasq hanging around getting in the way of something?

  8. #8
    Join Date
    Nov 2012
    Beans
    10

    Question Re: Need help with bind9, permission denied

    Thank you Doug,
    This is the first thing i did
    Code:
    //include "/etc/bind/rndc.key";
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    But the result is still the same. Further to be sure if there could be a firewall issue I purged it, but nothings changed....

    I will resume here the steps that I followed during installation:

    1. apt-get purge appmor
    2. apt-get install nscd
    3. apt-get install dhcp3-server
    4. apt-get install bind9 dnsutils
    5. rndc-confgen -a
    I configured dhcp and it works correctly.
    I configured bind, I will list here my files:
    1. named.conf:
    Code:
    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local
    //include "/etc/bind/rndc.key";
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    2. named.conf.options:
    Code:
    options {
            directory "/var/cache/bind";
            allow-transfer {
                   127.0.0.1;
                   172.20.100.0/24;
            };
            allow-query {
                   127.0.0.1;
                   172.20.100.0/24;
            };
            forwarders {
                    8.8.8.8;
                    172.20.100.1;
            };
            auth-nxdomain no;    # conform to RFC1035
            listen-on { any; };
            listen-on-v6 { any; };
    };
    3. named.conf.local
    Code:
    ogging {
        channel query.log {
            file "/var/log/query.log";
            severity debug 3;
        };
        category queries { query.log; };
    };
    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";
    
    zone "middle-earth.local" {
      type master;
      file "/etc/bind/db.middle-earth.local";
      allow-transfer { 127.0.0.1; 172.20.100.0/24; };
      allow-update { key "rndc-key" };
      notify yes;
    };
    zone "100.20.172.in-addr.arpa" {
      type master;
      file "/etc/bind/db.172.20.100";
      allow-transfer { 127.0.0.1; 172.20.100.0/24; };
      allow-update { key "rndc-key" };
      notify yes;
    };
    4. named.conf.default-zones
    Code:
    // prime the server with knowledge of the root servers
    zone "." {
            type hint;
            file "/etc/bind/db.root";
    };
    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912
    zone "localhost" {
            type master;
            file "/etc/bind/db.local";
    };
    zone "127.in-addr.arpa" {
            type master;
            file "/etc/bind/db.127";
    };
    zone "0.in-addr.arpa" {
            type master;
            file "/etc/bind/db.0";
    };
    zone "255.in-addr.arpa" {
            type master;
            file "/etc/bind/db.255";
    };
    5. rndc.key
    Code:
    key "rndc-key" {
            algorithm hmac-md5;
            secret "xCDX/U9Xr/JZbuFfwyhv9Q==";
    };
    Using the configuration described above I get the message during start bind:
    Code:
    rndc: connect failed: 127.0.0.1#953: connection refused
    [ OK ]
     * Starting domain name service... bind9  [ fail]
    and in syslog the same message:
    Code:
    Nov 15 08:57:12 Arwen named[1388]: loading configuration from '/etc/bind/named.conf'
    Nov 15 08:57:12 Arwen named[1388]: none:0: open: /etc/bind/named.conf: permission denied
    Nov 15 08:57:12 Arwen named[1388]: loading configuration: permission denied
    Nov 15 08:57:12 Arwen named[1388]: exiting (due to fatal error)
    So I'm absolutely not an expert, but where could be here the error, is there a different conf file for rndc?
    I also tried to use rndc.conf in /etc/bind but the following message is displayed:
    Code:
    WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
    rndc: connect failed: 127.0.0.1#953: connection refused
    I'm now out of any idea in how could I solve the problem.

  9. #9
    Join Date
    Nov 2012
    Beans
    10

    Re: Need help with bind9, permission denied

    Quote Originally Posted by Doug S View Post
    I wonder if you have dnsmasq hanging around getting in the way of something?
    I don't have dnsmasq installed.
    Last edited by mixwe; November 15th, 2012 at 02:42 PM. Reason: could be missinterpreted

  10. #10
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: Need help with bind9, permission denied

    Doesn't allowing remote updates imply rndc?
    I don't allow any remote updates and do not have any of these:
    Code:
      allow-update { key "rndc-key" };
    My named.local.conf:
    Code:
    doug@doug-64:~/config/bind$ cat named.conf.options
    options {
            directory "/var/cache/bind";
            recursion yes;
            allow-recursion {any;};
            allow-query {any;}; // this is needed to override the default
            allow-transfer {"none"; }; // transfer will be allowed per zone below.
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
            forwarders {
                    75.153.176.9;
                    75.153.176.1;
            };
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { any; };
    };
    Permissions: As a long shot suggestion, and just for a test, try taking out the logging stuff in named.conf.local

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •