I just installed Fedora 23 and bind-9.10 on it and the default installation does not run. I only created a zone file (which has ok-ed by the syntax check process), but this error is not related to any zone data I have created:
Jan 05 08:05:09 localhost.localdomain named[5786]: isc_file_isplainfile 'data/named.run' failed: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: configuring logging: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: loading configuration: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: exiting (due to fatal error)
these are the permissions on the following directories:
[root@localhost named]# ls -dl /var/named
drwxr-x---. 5 root named 4096 Jan 5 07:58 /var/named
[root@localhost named]# ls -dl /var/named/data
drwxrwx---. 2 named named 4096 Dec 16 12:15 /var/named/data
[root@localhost named]#
the directory /var/named/data is empty.
the strace shows the same error:
[pid 5794] open("/dev/random", O_RDONLY|O_NONBLOCK) = 10
[pid 5794] fcntl(10, F_GETFL) = 0x8800 (flags O_RDONLY|O_NONBLOCK|O_LARGEFILE)
[pid 5794] fcntl(10, F_SETFL, O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 0
[pid 5794] stat("data/named.run", 0x7f04aaf72630) = -1 EACCES (Permission denied)
I expected that in the default installation there would not be such errors, like configuration of directory permissions. What is the problem here?
This is my /etc/named.conf file:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.14; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "supervisedchat.com" {
type master;
file "/var/named/supervisedchat.dns"; # 10.128.0.0/16 subnet
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/named/supervisedchat.rev"; # 10.128.0.0/16 subnet
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost named]#
Best Answer
I've encountered the same problem when setting up named in a container. You must run named as the correct user, which is
namedon Redhat/Fedora:named drops all capabilities when starting (except the one to bind to low ports), so root loses its capability to read everyone's files, too. I.e. the "named root" can't read named's files anymore. That's why you have to run it as the user named using
-u named.From the man page:
The default configuration on Fedora (or at least on the current Fedora 30) runs it using the correct option, however, when debugging you need to supply it manually, e.g.
named -u named -g.