Unable to perform zone transfer for DNS

feef · 01-05-2006, 02:07 AM

Hi Guys!

I am having a problem with my DNS servers. It is running on RHEL 4.0 and have bind-9.2.4-2 installed.

I have a master and slave dns server. They are both able to dig and nslookup correctly. However, I am unable to perform zone transfers from the master to slave dns server.

The Named service had been started on both master and slave machines.

/var/log/messages on my master server shows this:

Jan 5 16:00:39 libra named[3952]: client 192.168.10.222#32809: transfer of 'bcsis.com/IN': AXFR-style IXFR started

/var/log/messages on my slave server shows this:

Jan 5 16:00:37 pisces named[3791]: dumping master file: tmp-XXXXM7QUDU: open: permission denied
Jan 5 16:00:37 pisces kernel: audit(1136448037.369:0): avc: denied { write } for pid=3792 comm=named name=named dev=sda3 ino=1687907 scontext=root:system_r:named_t tcontext=root

bject_r:etc_t tclass=dir
Jan 5 16:00:37 pisces named[3791]: transfer of 'bcsis.com/IN' from 192.168.10.221#53: failed while receiving responses: permission denied
Jan 5 16:00:37 pisces named[3791]: transfer of 'bcsis.com/IN' from 192.168.10.221#53: end of transfer

All files and folders related to named are issued the "chown named.named *" command. Let me know if I can provide more information to this problem.

Hope you guys can help me with this problem.

Thanks in advance! :|

Cheers,
feef

collins92 · 01-05-2006, 03:52 PM

Hi Feef,

I set up RHEL 4 this summer and I remember having the same problem. I went back to my notes and I see that I turned off SELinux protection on the named daemon. This was under System Settings, Security Level, SELinux Tab. I expanded what was under the Name Service and checked 'Disable SELinux protection for named service'

According to my notes, my zones transferred after that. However, I don't know exactly what protection I lost by changing this setting. Someone else may be able to explain further. I am fairly new to Linux so I do not claim to be an authority. I just saw your post and thought it sounded like what I experienced. Hopefully this will help.

Collins92

centauricw · 01-05-2006, 08:30 PM

RHEL 4 has the named daemon locked down under SELinux and the only valid directories for zone files are /var/named with slave zones in /var/named/slaves. If you attempt to move these directories elsewhere with SELinux on, you get these very error messages. You either have to turn SELinux off or modify the SELinux conf files.

lapicella27 · 04-24-2006, 03:10 PM

you need to make these changes on your named.conf file on your secondary or slave server:

options {
directory "var/named/slaves";
query-source address * port 53;
};

you can only allow postings as a slave to the slave directory. That should work for you. I had the same message and that is what I figured out to be the issue. One change at a time!

Good luck!!