Search Engine: Elastic

Article ID: 118161, created on Oct 24, 2013, last review on Jun 16, 2016

  • Applies to:
  • Odin Business Automation Standard

Symptoms

Domains with DNS hosting are not resolved anymore. The following errors are shown in system log file on the OBAS-managed name servers:

/var/log/messages
--->8---
Oct 20 05:23:32 ns1 named[13528]: dumping master file: tmp-NJq7i2j3Bd: open: permission denied
Oct 20 05:23:32 ns1 named[13528]: transfer of 'DOMAIN.TLD/IN' from 123.123.123.123#53: failed while receiving responses: permission denied
Oct 20 05:23:32 ns1 named[13528]: transfer of 'DOMAIN.TLD/IN' from 123.123.123.123#53: end of transfer
---8<---

Where 123.123.123.123 is the IP address of the OBAS node.

Cause

Broken permissions for /var/named directory on the name servers:

[root@ns1 ~]# ls -ld /var/named/named.zones /var/named/
-rw-r---- 1 root named 17507 Sep  7 09:24 /var/named/named.zones
drwxr-x--- 5 root named 12288 Sep 18 21:53 /var/named/

[root@ns1 ~]# ll /var/named | grep zone
-rw-r----- 1 root      named   768 Sep 18 20:12 DOMAIN1.TLD.zone
-rw-r----- 1 root      named   771 Sep 18 20:37 DOMAIN2.TLD.zone

That might be caused by manual upgrade of the Bind package on the name servers.

And if you see a dot in permissions, that means that SELinux is in Enforcing mode:

[root@ns1 ~]# ls -ld /var/named/named.zones /var/named/
-rw-r----. 1 root named 17507 Sep  7 09:24 /var/named/named.zones
drwxr-x---. 5 root named 12288 Sep 18 21:53 /var/named/

[root@ns1 ~]# ll /var/named | grep zone
-rw-r----. 1 root      named   768 Sep 18 20:12 DOMAIN1.TLD.zone
-rw-r----. 1 root      named   771 Sep 18 20:37 DOMAIN2.TLD.zone

To verify that, please run

# getenforce

Output should be:

Enforcing

Resolution

Fix permissions manually on all OBAS-managed name servers:

[root@ns1 ~]# chown named:named /var/named/*.zone
[root@ns1 ~]# chmod 644 /var/named/*.zone
[root@ns1 ~]# chown namedsync:named /var/named/
[root@ns1 ~]# chmod 770 /var/named
[root@ns1 ~]# chown namedsync:named /var/named/named.zones

Switch SELinux into Permissive mode - open file /etc/selinux/config in any editor, find the row

SELINUX= %value%

and change it to

SELINUX=permissive

See also

Incorrect file permissions on slave name servers

400e18f6ede9f8be5575a475d2d6b0a6 caea8340e2d186a540518d08602aa065

Email subscription for changes to this article
Save as PDF