Article ID: 118161, created on Oct 24, 2013, last review on Jun 16, 2016

  • Applies to:
  • Odin Business Automation Standard

Symptoms

Domains with DNS hosting are not resolved anymore. The following errors are shown in system log file on the OBAS-managed name servers:

/var/log/messages
--->8---
Oct 20 05:23:32 ns1 named[13528]: dumping master file: tmp-NJq7i2j3Bd: open: permission denied
Oct 20 05:23:32 ns1 named[13528]: transfer of 'DOMAIN.TLD/IN' from 123.123.123.123#53: failed while receiving responses: permission denied
Oct 20 05:23:32 ns1 named[13528]: transfer of 'DOMAIN.TLD/IN' from 123.123.123.123#53: end of transfer
---8<---

Where 123.123.123.123 is the IP address of the OBAS node.

Cause

Broken permissions for /var/named directory on the name servers:

[root@ns1 ~]# ls -ld /var/named/named.zones /var/named/
-rw-r---- 1 root named 17507 Sep  7 09:24 /var/named/named.zones
drwxr-x--- 5 root named 12288 Sep 18 21:53 /var/named/

[root@ns1 ~]# ll /var/named | grep zone
-rw-r----- 1 root      named   768 Sep 18 20:12 DOMAIN1.TLD.zone
-rw-r----- 1 root      named   771 Sep 18 20:37 DOMAIN2.TLD.zone

That might be caused by manual upgrade of the Bind package on the name servers.

And if you see a dot in permissions, that means that SELinux is in Enforcing mode:

[root@ns1 ~]# ls -ld /var/named/named.zones /var/named/
-rw-r----. 1 root named 17507 Sep  7 09:24 /var/named/named.zones
drwxr-x---. 5 root named 12288 Sep 18 21:53 /var/named/

[root@ns1 ~]# ll /var/named | grep zone
-rw-r----. 1 root      named   768 Sep 18 20:12 DOMAIN1.TLD.zone
-rw-r----. 1 root      named   771 Sep 18 20:37 DOMAIN2.TLD.zone

To verify that, please run

# getenforce

Output should be:

Enforcing

Resolution

Fix permissions manually on all OBAS-managed name servers:

[root@ns1 ~]# chown named:named /var/named/*.zone
[root@ns1 ~]# chmod 644 /var/named/*.zone
[root@ns1 ~]# chown namedsync:named /var/named/
[root@ns1 ~]# chmod 770 /var/named
[root@ns1 ~]# chown namedsync:named /var/named/named.zones

Switch SELinux into Permissive mode - open file /etc/selinux/config in any editor, find the row

SELINUX= %value%

and change it to

SELINUX=permissive

See also

Incorrect file permissions on slave name servers

Search Words

broken permission for named

selinux

failed while receiving responses: permission denied

domains are not resolved

dumping master file: tmp-aifyQpXgF2: open: permission denied

DNS Nameserver failing

DNS changes made by customer are not syncing to live DNS

end of transfer

Cannot execute the remote command. Please, make sure that the hostname and password are correct

400e18f6ede9f8be5575a475d2d6b0a6 caea8340e2d186a540518d08602aa065

Email subscription for changes to this article
Save as PDF