Permission Denied Bind Slave Server Problems

I know this has been asked a few hundred times, because I think I've read them all.

I have two servers that I set up using the "The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server)" article. The servers both work perfectly, except the second is set up as a slave, and I'm getting this:

Code:

Sep 27 13:21:27 server2 named[25319]: zone tlthost.net/IN: Transfer started.
Sep 27 13:21:27 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#59827
Sep 27 13:21:27 server2 named[25319]: dumping master file: tmp-NrfJj6zM6s: open: permission denied
Sep 27 13:21:27 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
Sep 27 13:21:27 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: end of transfer

for all my slave zones. I have checked the named.conf, all the zone files, and everything looks exactly as it should. The file owners for /var/lib/named/etc/bind/, and all it's files are bind:bind. The permissions are 775. I have shut off, and removed AppArmor. I followed the suggestion for others that had the same problem of setting:

Code:

chown root:root /etc/bind/rndc.key
chmod 755 /etc/bind/rndc.key

but that didn't help.
I know it's just something I'm missing, but it's driving me nuts trying to find it!

 

What's in the log on the master when the slave tries to start a zone transfer?

 

This is from this morning.

PRIMARY SERVER:

Code:

Sep 28 06:55:35 server1 named[26955]: client 192.168.xx.xxx#49725: transfer of 'tlthost.net/IN': AXFR-style IXFR started
Sep 28 06:55:35 server1 named[26955]: client 192.168.xx.xxx#49725: transfer of 'tlthost.net/IN': AXFR-style IXFR ended

SLAVE:

Code:

Sep 28 06:55:35 server2 named[25319]: zone tlthost.net/IN: Transfer started.
Sep 28 06:55:35 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#49725
Sep 28 06:55:35 server2 named[25319]: dumping master file: tmp-eoC1UgYwOE: open: permission denied
Sep 28 06:55:35 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
Sep 28 06:55:35 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: end of transfer

 

Ok, the problem seems to be on the slave only, probably directory permissions. What's the output of

Code:

ls -la /etc/bind/

?

 

This is off of the slave:

Code:

root@server2:~# ls -la /etc/bind/
total 88
drwxrwsr-x 2 bind bind 4096 2008-09-27 13:24 .
drwxr-xr-x 3 root root 4096 2008-07-17 12:10 ..
-rw-r--r-- 1 bind bind  237 2008-07-07 17:06 db.0
-rw-r--r-- 1 bind bind  271 2008-07-07 17:06 db.127
-rw-r--r-- 1 bind bind  237 2008-07-07 17:06 db.255
-rw-r--r-- 1 bind bind  353 2008-07-07 17:06 db.empty
-rw-r--r-- 1 bind bind  545 2008-09-23 12:40 db.local
-rw-r--r-- 1 bind bind 2878 2008-07-07 17:06 db.root
-rw-r--r-- 1 root root 1725 2008-09-27 13:24 named.conf
-rw-r--r-- 1 root root  819 2008-08-02 12:54 named.conf~
-rw-r--r-- 1 bind bind  165 2008-07-07 17:06 named.conf.local
-rw-r--r-- 1 bind bind  695 2008-07-24 12:38 named.conf.options
-rw-r--r-- 1 root bind  769 2008-09-23 11:28 pri.191.223.64.in-addr.arpa
-rwxrwxr-x 1 bind bind   77 2008-07-17 12:08 rndc.key
-rw-r--r-- 1 bind bind  474 2008-09-29 16:19 sec.bette-ford.com
-rw-r--r-- 1 bind bind  508 2008-09-29 17:16 sec.blacks-abroad.com
-rw-r--r-- 1 bind bind  471 2008-09-29 16:17 sec.music-ink.com
-rw-r--r-- 1 bind bind  506 2008-09-29 15:37 sec.niquistanhope.com
-rw-r--r-- 1 bind bind  479 2008-09-29 15:14 sec.ourbookspace.com
-rw-r--r-- 1 bind bind  559 2008-09-29 17:07 sec.tlthost.net
-rw-r--r-- 1 bind bind  479 2008-09-29 16:02 sec.vonniehughes.com
-rw-r--r-- 1 bind bind 1317 2008-07-07 17:06 zones.rfc1918

 

Can you try this?

Code:

chown bind:bind /etc/bind/named.conf

 

Falko, I tried this. I changed all the serial numbers on the master zone files, then did a restart of Bind. I then used Webmin to force zone updates on the slave of two of the files, bette-ford.com and niquistanhope.com. I then let the system do it's own thing after that. Here is the log entries showing the updates. I broke it up to make it easier to see.

Code:

Sep 30 16:30:22 server2 named[29985]: zone bette-ford.com/IN: Transfer started.
Sep 30 16:30:22 server2 named[29985]: transfer of 'bette-ford.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#59075
Sep 30 16:30:22 server2 named[29985]: zone bette-ford.com/IN: transferred serial 2008093003
Sep 30 16:30:22 server2 named[29985]: transfer of 'bette-ford.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 16:30:22 server2 named[29985]: zone bette-ford.com/IN: sending notifies (serial 2008093003)

Sep 30 16:32:55 server2 named[29985]: zone niquistanhope.com/IN: Transfer started.
Sep 30 16:32:55 server2 named[29985]: transfer of 'niquistanhope.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#56298
Sep 30 16:32:55 server2 named[29985]: zone niquistanhope.com/IN: transferred serial 2008093003
Sep 30 16:32:55 server2 named[29985]: transfer of 'niquistanhope.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 16:32:55 server2 named[29985]: zone niquistanhope.com/IN: sending notifies (serial 2008093003)

Sep 30 16:39:59 server2 named[25319]: zone ourbookspace.com/IN: Transfer started.
Sep 30 16:39:59 server2 named[25319]: transfer of 'ourbookspace.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#41863
Sep 30 16:39:59 server2 named[25319]: dumping master file: tmp-3Bk5cAPzZU: open: permission denied
Sep 30 16:39:59 server2 named[25319]: transfer of 'ourbookspace.com/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
Sep 30 16:39:59 server2 named[25319]: transfer of 'ourbookspace.com/IN' from 192.168.xx.xxx#53: end of transfer

Sep 30 16:44:21 server2 named[29985]: client 88.191.64.64#52197: zone transfer 'tlthost.net/AXFR/IN' denied
Sep 30 16:46:08 server2 named[29985]: client 87.98.164.164#46434: zone transfer 'tlthost.net/AXFR/IN' denied

Sep 30 16:51:37 server2 named[29985]: zone ourbookspace.com/IN: Transfer started.
Sep 30 16:51:37 server2 named[29985]: transfer of 'ourbookspace.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#58254
Sep 30 16:51:37 server2 named[29985]: zone ourbookspace.com/IN: transferred serial 2008093003
Sep 30 16:51:37 server2 named[29985]: transfer of 'ourbookspace.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 16:51:37 server2 named[29985]: zone ourbookspace.com/IN: sending notifies (serial 2008093003)

Sep 30 17:12:35 server2 named[29985]: zone vonniehughes.com/IN: Transfer started.
Sep 30 17:12:35 server2 named[29985]: transfer of 'vonniehughes.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#55451
Sep 30 17:12:35 server2 named[29985]: zone vonniehughes.com/IN: transferred serial 2008093003
Sep 30 17:12:35 server2 named[29985]: transfer of 'vonniehughes.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 17:12:35 server2 named[29985]: zone vonniehughes.com/IN: sending notifies (serial 2008093003)

Sep 30 17:18:33 server2 named[29985]: zone music-ink.com/IN: Transfer started.
Sep 30 17:18:33 server2 named[29985]: transfer of 'music-ink.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#41365
Sep 30 17:18:33 server2 named[29985]: zone music-ink.com/IN: transferred serial 2008093003
Sep 30 17:18:33 server2 named[29985]: transfer of 'music-ink.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 17:18:33 server2 named[29985]: zone music-ink.com/IN: sending notifies (serial 2008093003)

Sep 30 17:46:03 server2 named[29985]: client 195.234.42.1#52919: zone transfer 'tlthost.net/AXFR/IN' denied
Sep 30 17:48:34 server2 named[29985]: client 195.234.42.1#54338: zone transfer 'tlthost.net/AXFR/IN' denied

Sep 30 17:54:51 server2 named[25319]: zone 191.223.64.in-addr.arpa/IN: Transfer started.
Sep 30 17:54:51 server2 named[25319]: transfer of '191.223.64.in-addr.arpa/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#54348
Sep 30 17:54:51 server2 named[25319]: transfer of '191.223.64.in-addr.arpa/IN' from 192.168.xx.xxx#53: failed while receiving responses: REFUSED
Sep 30 17:54:51 server2 named[25319]: transfer of '191.223.64.in-addr.arpa/IN' from 192.168.xx.xxx#53: end of transfer

Sep 30 18:01:44 server2 named[29985]: zone tlthost.net/IN: Transfer started.
Sep 30 18:01:44 server2 named[29985]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#48690
Sep 30 18:01:44 server2 named[29985]: zone tlthost.net/IN: transferred serial 2008093003
Sep 30 18:01:44 server2 named[29985]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 18:01:44 server2 named[29985]: zone tlthost.net/IN: sending notifies (serial 2008093003)

Sep 30 18:06:44 server2 named[29985]: zone blacks-abroad.com/IN: Transfer started.
Sep 30 18:06:44 server2 named[29985]: transfer of 'blacks-abroad.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#43491
Sep 30 18:06:44 server2 named[29985]: zone blacks-abroad.com/IN: transferred serial 2008093003
Sep 30 18:06:44 server2 named[29985]: transfer of 'blacks-abroad.com/IN' from 192.168.xx.xxx#53: end of transfer
Sep 30 18:06:44 server2 named[29985]: zone blacks-abroad.com/IN: sending notifies (serial 2008093003)

Sep 30 18:19:43 server2 named[25319]: zone tlthost.net/IN: Transfer started.
Sep 30 18:19:43 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#39139
Sep 30 18:19:43 server2 named[25319]: dumping master file: tmp-TIFUF7mdZe: open: permission denied
Sep 30 18:19:43 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
Sep 30 18:19:43 server2 named[25319]: transfer of 'tlthost.net/IN' from 192.168.xx.xxx#53: end of transfer

Sep 30 18:32:34 server2 named[25319]: transfer of 'music-ink.com/IN' from 192.168.xx.xxx#53: connected using 192.168.xx.xxx#55507
Sep 30 18:32:34 server2 named[25319]: dumping master file: tmp-j2wvUvmPaP: open: permission denied
Sep 30 18:32:34 server2 named[25319]: transfer of 'music-ink.com/IN' from 192.168.xx.xxx#53: failed while receiving responses: permission denied
Sep 30 18:32:34 server2 named[25319]: transfer of 'music-ink.com/IN' from 192.168.xx.xxx#53: end of transfer

I've checked, and all the ones I changed have updated on the slave zones now. As you can see, I'm still getting "permission denied" errors though. At least it seems that the updates are getting through.

 

I keep checking every day, and the same thing is still going on. The slave zones seem to be getting updated when I change the serial number on the masters, but I keep getting "dumping master file: tmp-eoC1UgYwOE: open: permission denied" like errors on all of them.

The only thing I haven't tried for a while is the suggestion to move all the slave zone files to a different directory. I tried it once before, but it didn't work at all. No updates were getting through anytime. I might have had the file permissions wrong at the time though. I still would rather not do that if possible because I like the setup as it is now.

This really is frustrating, especially since nothing seems to be wrong.

 

You can try this: http://www.lunarlamp.co.uk/bind-permission-denied-solution

 

I think he typed his solution backwards, but I'm giving it a try now.
I did:

Code:

chown bind:bind /var/cache/bind
chmod g+w /var/cache/bind

I'll check my logs a bit later. I don't think it's related, but I also get an occasional rndc permission fail when I try to restart bind.

 

here's what I'm seeing now. I did the change the serial number routine again, restarted it all, then waited for a log entry to show up. the first one was this:

Code:

Oct  5 16:32:55 server2 named[30764]: transfer of 'bette-ford.com/IN' from 192.168.xx.x00#53: failed to connect: connection refused
Oct  5 16:32:55 server2 named[30764]: transfer of 'bette-ford.com/IN' from 192.168.xx.x00#53: end of transfer

. The transfer didn't go through.

I then used Webmin's "force zone update" button a little later and got this:

Code:

Oct  5 16:49:20 server2 named[30764]: zone bette-ford.com/IN: Transfer started.
Oct  5 16:49:20 server2 named[30764]: transfer of 'bette-ford.com/IN' from 192.168.xx.x00#53: connected using 192.168.xx.x10#49054
Oct  5 16:49:20 server2 named[30764]: zone bette-ford.com/IN: transferred serial 2008100504
Oct  5 16:49:20 server2 named[30764]: transfer of 'bette-ford.com/IN' from 192.168.xx.x00#53: end of transfer
Oct  5 16:49:20 server2 named[30764]: zone bette-ford.com/IN: sending notifies (serial 2008100504)

.

The only difference I see is the "connected using 192.168.xx.x10#49054" where the automatic transfer says "failed to connect: connection refused".

 

I guess no one has any ideas, so I tried something different.

I copied the slave zone files to /var/cache/bind/ as was suggested in many discussions. I then changed the serial numbers, and a couple of other slight changes to the zone files on the primary server. i watched the logs on the slave server, and was thrilled to see the files update without any errors. Then a short time later, I looked at the log again, and saw the same files, and the same permission errors. It showed the new directory, but the errors were still coming.

So now the question is, why does it update perfectly when there is an actual change in the file, but throws an error if the slave looks for an update when it's not needed?

 

It still doesn't look like anyone has any ideas, but I think I have it working finally. This is a chrooted version of bind running under the user 'bind'. The zone files are in /var/lib/named/etc/bind/ on both the master, and the slave servers. The /var/lib/named/etc/bind/ directory on both were chown bind:bind, but if I switch the slave to be root:bind, it works. The errors stopped as soon as I made the change. I don't know if that might help others, or even if it's the correct way to go; all I know is it works for now.

 

Actually, I think this a DNS configuration issue, I just had a similar problem. Setting the slave server in Virutalmin simply tells bind that it should tell another server to update, and it also sets up those servers to allow for an update. If you changed the /etc/named.conf so that:

zone "mydomain.co.uk" {
type master;
file "/var/named/mydomain.co.uk.hosts";
also-notify {
11.22.33.44;
};
allow-transfer {
127.0.0.1;
localnets;
11.22.33.44;
};
};

Where 11.22.33.44 is the IP of your slave, I think this would solve the issue. The reason for the REFUSED was that when the slave server queried your master server, it's IP wasn't in the allow-transfer object.

 

I was able to fix this problem by changing the permissions and groups of the /etc/bind directory.

I had to change the group of the entire /etc/bind directory to "named", and then changed the permissions of /etc/bind to allow the group to have write access.

 

I have 2 debian sqeeze, ns1 and ns2
i solved the issue with

Code:

chmod g+w /etc/bind/slave/

i think this is a bug on ispconfig install; should i file a bug on http://bugtracker.ispconfig.org/ ?

 

Had similar problem on my slave, solved it with:

chown bind:bind /etc/bind/named.conf /etc/bind/slave

 

Solution on Standard Centos 6.5

Hi

Even though it's 5 years+ old, i would like to thank the people in this post,
On CentOS 6.5 this is still a solution. I will however add something that i think some people wonder about, namely "what directory should i change?".

Code:

Mar 22 12:18:54 vm-centos64-001 named[31686]: dumping master file: tmp-FuZsqAqxbi: open: permission denied

He tries to create a file in his default directory.
If you check where named is creating these files based on the configuration.

Code:

Look for this in named.conf

options {
...
directory       "/var/named";
...
};

Now we know, that on CentOS 6.5 it stores those files there,
So in my case a chmod g+w on that /var/named/ folder was the solution to solving my "dumping master file: tmp-FuZsqAqxbi: open: permission denied" errors.

Kind regards,

Preatorian

 

Solved for me too

 

This is the simple answer. Whenever slave retrieves from master, 'named' will write zone file that received from master to '/var/named/' folder.

chmod g+w on that /var/named/​