| View previous topic :: View next topic |
| Author |
Message |
Rocky007
n00b
Joined: 22 Dec 2014
Posts: 66
|
 Posted: Wed Feb 14, 2018 10:31 am Post subject: [solved] Bind permission denied on DDNS Update via DHCP |
 |
|
Hello,
when a client gets an ip via dhcp i want to update the dns zone as well.
I've et up bind with the zones etc. (no chroot environment) but it says "Permission Denied"...
| Code: |
13-Feb-2018 17:45:02.135 update-security: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: signer "dhcp_updater" approved
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' A 192.168.1.5
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' TXT "31736cad8d609e589a58b3efa14718a76c"
13-Feb-2018 17:45:02.135 general: error: pri/intern.rock.lan.jnl: create: permission denied
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': error: journal open failed: unexpected error
13-Feb-2018 17:45:03.675 resolver: info: bad cookie from 192.168.178.1#53
|
| Code: |
ls -lah /etc/ | grep bind
drwxr-xr-x 2 named root 4,0K 14. Feb 08:48 bind
|
| Code: |
ls -lah /etc/bind
drwxr-xr-x 2 named root 4,0K 14. Feb 08:48 .
drwxr-xr-x 82 root root 4,0K 14. Feb 08:46 ..
-rw-r----- 1 root named 3,9K 14. Feb 08:46 bind.keys
lrwxrwxrwx 1 root root 13 14. Feb 08:46 dyn -> /var/bind/dyn
-rw-r----- 1 root named 2,2K 9. Feb 08:23 named.conf
-rw-r----- 1 root named 1,6K 6. Feb 21:11 named.conf.save
lrwxrwxrwx 1 root root 13 14. Feb 08:46 pri -> /var/bind/pri
-rw-r----- 1 root named 77 8. Aug 2017 rndc.key
lrwxrwxrwx 1 root root 13 14. Feb 08:46 sec -> /var/bind/sec
|
| Code: |
ls -lah /etc/bind/pri
lrwxrwxrwx 1 root root 13 14. Feb 08:46 /etc/bind/pri -> /var/bind/pri
|
| Code: |
ls -lah /var/ | grep bind
drwxrwx--- 5 root named 4,0K 14. Feb 08:46 bind
|
| Code: |
ls -lah /var/bind
drwxrwx--- 5 root named 4,0K 14. Feb 08:46 .
drwxr-xr-x 13 root root 4,0K 11. Dez 20:37 ..
drwxrwx--- 2 root named 4,0K 14. Feb 08:46 dyn
-rw-r--r-- 1 named named 1,4K 14. Feb 08:26 managed-keys.bind
-rw-r--r-- 1 named named 512 14. Feb 08:26 managed-keys.bind.jnl
-rw-r----- 1 root named 3,3K 14. Feb 08:46 named.cache
drwxr-x--- 2 root named 4,0K 14. Feb 08:46 pri
lrwxrwxrwx 1 root root 11 14. Feb 08:46 root.cache -> named.cache
drwxrwx--- 2 root named 4,0K 14. Feb 08:46 sec
|
Last edited by Rocky007 on Fri Feb 16, 2018 9:02 am; edited 2 times in total |
|
| Back to top |
|
 |
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany
|
| Posted: Wed Feb 14, 2018 12:28 pm Post subject: |
|
|
Hi,
you have issues creating a journal file. Can you post your config files please? Maybe there is the issue.
greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS |
|
| Back to top |
|
|
Rocky007
n00b
Joined: 22 Dec 2014
Posts: 66
|
| Posted: Wed Feb 14, 2018 12:48 pm Post subject: |
|
|
/etc/hosts
| Code: |
# /etc/hosts: Local Host Database
#
# This file describes a number of aliases-to-address mappings for the for
# local hosts that share this file.
#
# The format of lines in this file is:
#
# IP_ADDRESS canonical_hostname [aliases...]
#
#The fields can be separated by any number of spaces or tabs.
#
# In the presence of the domain name service or NIS, this file may not be
# consulted at all; see /etc/host.conf for the resolution order.
#
# IPv4 and IPv6 localhost aliases
127.0.0.1 sg1 ns localhost
::1 sg1 ns localhost
|
/etc/conf.d/named
| Code: |
# Set various named options here.
#
#OPTIONS=""
# Set this to the number of processors you want bind to use.
# Leave this unchanged if you want bind to automatically detect the number
#CPU="1"
# If you wish to run bind in a chroot:
# 1) un-comment the CHROOT= assignment, below. You may use
# a different chroot directory but MAKE SURE it's empty.
# 2) run: emerge --config =<bind-version>
#
#CHROOT="/chroot/dns"
# Uncomment to enable binmount of /usr/share/GeoIP
#CHROOT_GEOIP="1"
# Uncomment the line below to avoid that the init script mounts the needed paths
# into the chroot directory.
# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".
#CHROOT_NOMOUNT="1"
# Uncomment this option if you have setup your own chroot environment and you
# don't want/need the chroot consistency check
#CHROOT_NOCHECK=1
# Default pid file location
PIDFILE="${CHROOT}/run/named/named.pid"
# Scheduling priority: 19 is the lowest and -20 is the highest.
# Default: 0
#NAMED_NICELEVEL="0"
# Uncomment rc_named_use/rc_named_after for the database you need.
# Its necessary to ensure the database backend will be started before named.
# MySQL
#rc_named_use="mysql"
#rc_named_after="mysql"
# PostgreSQL
#rc_named_use="pg_autovacuum postgresql"
#rc_named_after="pg_autovacuum postgresql"
# LDAP
#rc_named_use="ldap"
#rc_named_after="ldap"
|
/etc/bind/named.conf
| Code: |
acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
192.168.1.0/24;
192.168.2.0/24;
192.168.3.0/24;
::1/128;
};
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "<pw>";
};
options {
directory "/var/bind";
pid-file "/run/named/named.pid";
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { ::1; };
listen-on { 127.0.0.1/8; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24;};
allow-query {
trusted;
};
allow-query-cache {
trusted;
};
allow-recursion {
trusted;
};
allow-transfer {
none;
};
allow-update {
none;
};
forward first;
forwarders {
127.0.0.1; // DNS Local
192.168.178.1; // FritzBox
80.69.96.12; // UM DNS
81.210.129.4; // UM DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
dnssec-enable yes;
//dnssec-validation yes;
dnssec-validation auto;
//query-source address * port 53;
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { DHCP_UPDATER; };
zone "." in {
type hint;
file "/var/bind/named.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "intern.rock.lan" IN {
type master;
file "pri/intern.rock.lan";
allow-update {
key DHCP_UPDATER;
};
};
zone "extern.rock.lan" IN {
type master;
file "pri/extern.rock.lan";
allow-update {
key DHCP_UPDATER;
};
};
zone "vpn.rock.lan" IN {
type master;
file "pri/vpn.rock.lan";
allow-update {
key DHCP_UPDATER;
};
};
zone "1.168.192.in-addr.arpa" {
type master;
file "pri/1.168.192.zone";
allow-update {
key DHCP_UPDATER;
};
};
zone "2.168.192.in-addr.arpa" {
type master;
file "pri/2.168.192.zone";
allow-update {
key DHCP_UPDATER;
};
};
zone "3.168.192.in-addr.arpa" {
type master;
file "pri/3.168.192.zone";
allow-update {
key DHCP_UPDATER;
};
};
|
/etc/bind/pri/localhost.zone
| Code: |
$TTL 1W
@ IN SOA localhost. root.localhost. (
2008122601 ; Serial
28800 ; Refresh
14400 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
|
/etc/bind/pri/intern.rock.lan
| Code: |
$TTL 86400
@ IN SOA ns.intern.rock.lan. root.intern.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.intern.rock.lan.
IN A 192.168.1.1
ns IN A 192.168.1.1
intern.rock.lan. IN A 192.168.1.1
|
/etc/bind/pri/1.168.192.zone
| Code: |
$TTL 86400
@ IN SOA ns.intern.rock.lan. root.intern.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.intern.rock.lan.
1 IN PTR ns.intern.rock.lan.
|
/etc/bind/pri/extern.rock.lan
| Code: |
$TTL 86400
@ IN SOA ns.extern.rock.lan. root.extern.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.extern.rock.lan.
IN A 192.168.2.1
ns IN A 192.168.2.1
extern.rock.lan. IN A 192.168.2.1
|
/etc/bind/pri/2.168.192.zone
| Code: |
$TTL 86400
@ IN SOA ns.extern.rock.lan. root.extern.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.extern.rock.lan.
1 IN PTR ns.extern.rock.lan.
|
/etc/bind/pri/vpn.rock.lan
| Code: |
$TTL 86400
@ IN SOA ns.vpn.rock.lan. root.vpn.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.vpn.rock.lan.
IN A 192.168.3.1
ns IN A 192.168.3.1
vpn.rock.lan. IN A 192.168.3.1
|
/etc/bind/pri/3.168.192.zone
| Code: |
$TTL 86400
@ IN SOA ns.vpn.rock.lan. root.vpn.rock.lan. (
20180206 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Default TTL
)
IN NS ns.vpn.rock.lan.
1 IN PTR ns.vpn.rock.lan.
|
|
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany
|
| Posted: Thu Feb 15, 2018 8:00 am Post subject: |
|
|
Hi,
everything looks good so far. Can you check the permissions of the files in /etc/bind/pri/? Since when a ddns update is running, the bind service tries to create a .jnl file there for the corresponding zone files.
Is your dhcp server configured for the ddns updates as well? Do you have your dhcp server settings set like in this debian howto: https://wiki.debian.org/DDNS#DHCP_Server_Configuration
greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS |
|
| Back to top |
|
|
Rocky007
n00b
Joined: 22 Dec 2014
Posts: 66
|
| Posted: Thu Feb 15, 2018 8:36 am Post subject: |
|
|
ls -lah /etc/bind/pri
| Code: |
drwxr-x--- 2 root named 4,0K 14. Feb 08:46 .
drwxrwx--- 5 root named 4,0K 15. Feb 08:38 ..
-rw-r--r-- 1 root root 0 14. Feb 08:46 .keep_net-dns_bind-0
-rw-r--r-- 1 root named 269 8. Feb 09:03 1.168.192.zone
-rw-r--r-- 1 root named 293 8. Feb 09:03 2.168.192.zone
-rw-r--r-- 1 root root 281 9. Feb 08:23 3.168.192.zone
-rw-r--r-- 1 root root 292 8. Feb 00:21 extern.rock.lan
-rw-r--r-- 1 root named 297 8. Feb 00:20 intern.rock.lan
-rw-r----- 1 root named 426 14. Feb 08:46 localhost.zone
-rw-r--r-- 1 root root 281 9. Feb 08:22 vpn.rock.lan
|
/etc/dhcpd/dhcpd.conf
| Code: |
default-lease-time 600;
max-lease-time 7200;
ddns-update-style interim;
ddns-updates on;
update-static-leases on;
deny-client-update;
authoritative;
log-facility local7;
key "DHCP_UPDATER" {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "<pw>";
};
zone intern.rock.lan. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone extern.rock.lan. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 2.168.192.in-addr.arpa {
primary 127.0.0.1;
key DHCP_UPDATER;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
option domain-name "intern.rock.lan";
option domain-name-servers ns.intern.rock.lan;
option domain-search "intern.rock.lan";
ddns-domainname "intern.rock.lan";
ddns-rev-domainname "1.168.192.in-addr.arpa.";
deny unknown-clients;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.254;
option routers 192.168.2.1;
option broadcast-address 192.168.2.255;
option domain-name "extern.rock.lan";
option domain-name-servers ns.extern.rock.lan;
option domain-search "extern.rock.lan";
ddns-domainname "extern.rock.lan";
ddns-rev-domainname "2.168.192.in-addr.arpa.";
allow unknown-clients;
}
host JUPITER {
hardware ethernet 5c:e0:c5:ef:29:ff;
fixed-address 192.168.1.3;
ddns-hostname "JUPITER";
}
host VENUS {
hardware ethernet c8:9c:dc:d1:b9:ba;
fixed-address 192.168.1.4;
ddns-hostname "VENUS";
}
host SGS7 {
hardware ethernet 8c:f5:a3:7a:19:9c;
fixed-address 192.168.1.5;
ddns-hostname "SGS7";
}
host Switch {
hardware ethernet 8c:3b:ad:1a:f8:81;
fixed-address 192.168.2.254;
ddns-hostname "Switch";
}
|
<pw> is the same in both files |
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany
|
| Posted: Fri Feb 16, 2018 5:52 am Post subject: |
|
|
Can you do manual updates via "nsupdate"? Im not quite sure about the permission of your files. Maybe they need a review.
greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS |
|
| Back to top |
|
|
Rocky007
n00b
Joined: 22 Dec 2014
Posts: 66
|
| Posted: Fri Feb 16, 2018 7:26 am Post subject: |
|
|
No i cant...
| Code: |
echo "server 127.0.0.1
update add test.extern.rock.lan 3600 IN A 192.168.2.100
send
update add 2.168.192.in-addr.arpa 3600 IN PTR test.extern.rock.lan
send
quit
" | nsupdate -k /etc/bind/rndc.key
|
| Code: |
update failed: SERVFAIL
update failed: SERVFAIL
|
| Code: |
16-Feb-2018 08:25:49.475 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100
16-Feb-2018 08:25:49.475 general: error: pri/extern.rock.lan.jnl: create: permission denied
16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': error: journal open failed: unexpected error
16-Feb-2018 08:25:49.476 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.
16-Feb-2018 08:25:49.476 general: error: pri/2.168.192.zone.jnl: create: permission denied
16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': error: journal open failed: unexpected error
|
|
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany
|
| Posted: Fri Feb 16, 2018 8:19 am Post subject: |
|
|
Please change the permissions on /var/bind and all subdirs/files to user and group named. afterwards try again with nsupdate.
greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS |
|
| Back to top |
|
|
Rocky007
n00b
Joined: 22 Dec 2014
Posts: 66
|
| Posted: Fri Feb 16, 2018 8:33 am Post subject: |
|
|
Now it seems to work 
| Code: |
16-Feb-2018 09:28:46.212 update-security: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 09:28:46.212 update: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100
16-Feb-2018 09:28:46.232 update-security: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 09:28:46.232 update: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.
|
But in the zone files i can't see the entries for this or is it inserted and removed automatically? |
|
| Back to top |
|
|
bbgermany
Veteran
Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany
|
| Posted: Fri Feb 16, 2018 8:43 am Post subject: |
|
|
This can take a while, thats why the ".jnl" files are created. All entries are written to these journal files first and a bit later via a commit to actual zone file.
greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
