J'ai eu des problèmes avec bind9 sur 14.04 LTS
Sudo service bind9 start
produit le journal suivant
May 20 21:47:46 c1 named[1110]: starting BIND 9.9.5-3-Ubuntu -u bind
May 20 21:47:46 c1 named[1110]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
May 20 21:47:46 c1 named[1110]: ----------------------------------------------------
May 20 21:47:46 c1 named[1110]: BIND 9 is maintained by Internet Systems Consortium,
May 20 21:47:46 c1 named[1110]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 20 21:47:46 c1 named[1110]: corporation. Support and training for BIND 9 are
May 20 21:47:46 c1 named[1110]: available at https://www.isc.org/support
May 20 21:47:46 c1 named[1110]: ----------------------------------------------------
May 20 21:47:46 c1 named[1110]: adjusted limit on open files from 4096 to 1048576
May 20 21:47:46 c1 named[1110]: found 2 CPUs, using 2 worker threads
May 20 21:47:46 c1 named[1110]: using 2 UDP listeners per interface
May 20 21:47:46 c1 named[1110]: using up to 4096 sockets
May 20 21:47:46 c1 named[1110]: loading configuration from '/etc/bind/named.conf'
May 20 21:47:46 c1 named[1110]: reading built-in trusted keys from file '/etc/bind/bind.keys'
May 20 21:47:46 c1 named[1110]: using default UDP/IPv4 port range: [1024, 65535]
May 20 21:47:46 c1 named[1110]: using default UDP/IPv6 port range: [1024, 65535]
May 20 21:47:46 c1 named[1110]: listening on IPv4 interface lo, 127.0.0.1#53
May 20 21:47:46 c1 named[1110]: generating session key for dynamic DNS
May 20 21:47:46 c1 named[1110]: sizing zone task pool based on 25 zones
May 20 21:47:46 c1 named[1110]: using built-in DLV key for view _default
May 20 21:47:46 c1 named[1110]: using built-in root key for view _default
May 20 21:47:46 c1 named[1110]: set up managed keys zone for view _default, file 'managed-keys.bind'
May 20 21:47:46 c1 named[1110]: command channel listening on 127.0.0.1#953
May 20 21:47:46 c1 named[1110]: isc_file_isplainfile '/var/log/named/query.log' failed: permission denied
May 20 21:47:46 c1 named[1110]: configuring logging: permission denied
May 20 21:47:46 c1 named[1110]: loading configuration: permission denied
May 20 21:47:46 c1 named[1110]: exiting (due to fatal error)
named.conf.log prevew
root@c1:/etc/bind# cat named.conf.log
logging {
channel query_log {
file "/var/log/named/query.log" versions 3 size 5m;
// Set the severity to dynamic to see all the debug messages.
print-category yes;
print-severity yes;
print-time yes;
severity dynamic;
};
channel update_debug {
file "/var/log/named/update_debug.log" versions 3 size 5m;
severity debug ;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named/security_info.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/named/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
query_log;
};
category security {
security_info;
};
category update-security {
update_debug;
};
category update {
update_debug;
};
category lame-servers {
null;
};
category default {
bind_log;
};
};
la commande named-checkconf
ne renvoie aucune erreur
Le problème est résolu dans les permitions de fichier et apparmor
correctif Apparmor
copier-coller de fichier complet exclure la première ligne
root@c1:/etc/bind# cat /etc/apparmor.d/usr.sbin.named
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the Origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
/proc/net/if_inet6 r,
/proc/*/net/if_inet6 r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
#added line here
/var/log/named/* rw,
/var/log/named/ rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}
correctif Bind9
ensuite, j'ai changé les pemitions jusqu'à ce que cela fonctionne
/ var/log/modifications nommées
chown -R bind:root /var/log/named
chmod -R 775 /var/log/named
résultat des commandes ci-dessus
root@c1:/etc/bind# ls -lha /var/log/named/
total 196K
drwxrwxr-x 2 bind root 4,0K мај 20 20:38 .
drwxrwxr-x 18 root syslog 4,0K мај 21 00:46 ..
-rwxrwxr-x 1 bind root 6,8K мај 21 01:20 bind.log
-rwxrwxr-x 1 bind root 0 мај 20 19:30 bind.log~
-rwxrwxr-x 1 bind root 167K мај 21 01:21 query.log
-rwxrwxr-x 1 bind root 1 мај 20 23:14 security_info.log
-rwxrwxr-x 1 bind root 0 мај 20 19:30 security_info.log~
-rwxrwxr-x 1 bind root 1 мај 20 23:13 update_debug.log
-rwxrwxr-x 1 bind root 0 мај 20 19:23 update_debug.log~
Changements dans/etc/bind
chown -R bind:root /etc/bind
chmod -R 774 /etc/bind
résultat des commandes ci-dessus
root@c1:/etc/bind# ls -lha /etc/bind
total 120K
drwxrwsr-- 3 bind root 4,0K мај 21 00:33 .
drwxr-xr-x 150 root root 12K мај 21 00:34 ..
-rwxrwxr-- 1 bind root 2,4K мар 24 18:06 bind.keys
-rwxrwxr-- 1 bind root 237 мар 24 18:06 db.0
-rwxrwxr-- 1 bind root 271 мар 24 18:06 db.127
-rwxrwxr-- 1 bind root 237 мар 24 18:06 db.255
-rwxrwxr-- 1 bind root 353 мар 24 18:06 db.empty
-rwxrwxr-- 1 bind root 270 мар 24 18:06 db.local
-rwxrwxr-- 1 bind root 3,0K мар 24 18:06 db.root
-rwxrwxr-- 1 bind root 860 мај 20 18:54 named.conf
-rwxrwxr-- 1 bind root 1,1K мај 20 18:49 named.conf~
-rwxrwxr-- 1 bind root 490 мар 24 18:06 named.conf.default-zones
-rwxrwxr-- 1 bind root 475 мај 20 22:24 named.conf.local
-rwxrwxr-- 1 bind root 477 мај 20 22:22 named.conf.local~
-rwxrwxr-- 1 bind root 1002 мај 20 23:12 named.conf.log
-rwxrwxr-- 1 bind root 1002 мај 20 23:11 named.conf.log~
-rwxrwxr-- 1 bind root 1,1K мај 21 00:33 named.conf.log.save
-rwxrwxr-- 1 bind root 1,4K мај 20 18:50 named.conf.options
-rwxrwxr-- 1 bind root 1,4K мај 18 23:23 named.conf.options~
-rwxrwxr-- 1 bind root 77 мај 20 04:25 rndc.key
drwxrwxr-- 2 bind root 4,0K мај 18 23:23 zones
-rwxrwxr-- 1 bind root 1,3K мар 24 18:06 zones.rfc1918
Avis:
Cette installation de bind9 n'est pas chrootée
maintenant Bind9 travaille
root@c1:/etc/bind# service bind9 start
* Starting domain name service... bind9 [ OK ]
Je suis venu ici à cause d'un problème général d'autorisation de démarrage de bind.
Il semble que bind consignera qu’il ne lui est pas accordé d’autorisation à named.conf, qu’il s’agisse ou non du fichier à l’origine du problème.
Apparemment, l'utilisateur avec lequel la liaison s'exécute doit disposer d'un accès en lecture/écriture ET exécuter l'accès aux fichiers de zone, mais n'a besoin que d'un accès en lecture aux autres fichiers de configuration.
J'ai installé apparmor mais je ne l'utilise pas.
Créer le dossier /var/log/named
avec les autorisations bind:bind 755
était tout ce que j'avais à faire. Les fichiers journaux eux-mêmes sont générés avec les autorisations bind:bind 644
.