Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Bind permission denied on DDNS Update via DHCP
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Rocky007
n00b
n00b


Joined: 22 Dec 2014
Posts: 66

PostPosted: Wed Feb 14, 2018 10:31 am    Post subject: [solved] Bind permission denied on DDNS Update via DHCP Reply with quote

Hello,

when a client gets an ip via dhcp i want to update the dns zone as well.

I've et up bind with the zones etc. (no chroot environment) but it says "Permission Denied"...

Code:

13-Feb-2018 17:45:02.135 update-security: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: signer "dhcp_updater" approved
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' A 192.168.1.5
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' TXT "31736cad8d609e589a58b3efa14718a76c"
13-Feb-2018 17:45:02.135 general: error: pri/intern.rock.lan.jnl: create: permission denied
13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': error: journal open failed: unexpected error
13-Feb-2018 17:45:03.675 resolver: info: bad cookie from 192.168.178.1#53


Code:

ls -lah /etc/ | grep bind

drwxr-xr-x  2 named    root     4,0K 14. Feb 08:48 bind


Code:

ls -lah /etc/bind

drwxr-xr-x  2 named root  4,0K 14. Feb 08:48 .
drwxr-xr-x 82 root  root  4,0K 14. Feb 08:46 ..
-rw-r-----  1 root  named 3,9K 14. Feb 08:46 bind.keys
lrwxrwxrwx  1 root  root    13 14. Feb 08:46 dyn -> /var/bind/dyn
-rw-r-----  1 root  named 2,2K  9. Feb 08:23 named.conf
-rw-r-----  1 root  named 1,6K  6. Feb 21:11 named.conf.save
lrwxrwxrwx  1 root  root    13 14. Feb 08:46 pri -> /var/bind/pri
-rw-r-----  1 root  named   77  8. Aug 2017  rndc.key
lrwxrwxrwx  1 root  root    13 14. Feb 08:46 sec -> /var/bind/sec


Code:

ls -lah /etc/bind/pri

lrwxrwxrwx 1 root root 13 14. Feb 08:46 /etc/bind/pri -> /var/bind/pri


Code:

ls -lah /var/ | grep bind

drwxrwx---  5 root   named  4,0K 14. Feb 08:46 bind


Code:

ls -lah /var/bind

drwxrwx---  5 root  named 4,0K 14. Feb 08:46 .
drwxr-xr-x 13 root  root  4,0K 11. Dez 20:37 ..
drwxrwx---  2 root  named 4,0K 14. Feb 08:46 dyn
-rw-r--r--  1 named named 1,4K 14. Feb 08:26 managed-keys.bind
-rw-r--r--  1 named named  512 14. Feb 08:26 managed-keys.bind.jnl
-rw-r-----  1 root  named 3,3K 14. Feb 08:46 named.cache
drwxr-x---  2 root  named 4,0K 14. Feb 08:46 pri
lrwxrwxrwx  1 root  root    11 14. Feb 08:46 root.cache -> named.cache
drwxrwx---  2 root  named 4,0K 14. Feb 08:46 sec


Last edited by Rocky007 on Fri Feb 16, 2018 9:02 am; edited 2 times in total
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1775
Location: Oranienburg/Germany

PostPosted: Wed Feb 14, 2018 12:28 pm    Post subject: Reply with quote

Hi,

you have issues creating a journal file. Can you post your config files please? Maybe there is the issue.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 8GB, 620GB
3rd: i5-4570, 16GB, 10TB
4th: Asus N61VN, 8GB, 120GB
5th: Cubietruck, 2GB, 160GB + NFS
6th: C2D T7200, 2GB, 16GB USB + NFS
7th: RPi3 1GB, 64GB USB
Back to top
View user's profile Send private message
Rocky007
n00b
n00b


Joined: 22 Dec 2014
Posts: 66

PostPosted: Wed Feb 14, 2018 12:48 pm    Post subject: Reply with quote

/etc/hosts
Code:

# /etc/hosts: Local Host Database
#
# This file describes a number of aliases-to-address mappings for the for
# local hosts that share this file.
#
# The format of lines in this file is:
#
# IP_ADDRESS    canonical_hostname      [aliases...]
#
#The fields can be separated by any number of spaces or tabs.
#
# In the presence of the domain name service or NIS, this file may not be
# consulted at all; see /etc/host.conf for the resolution order.
#

# IPv4 and IPv6 localhost aliases
127.0.0.1       sg1 ns localhost
::1             sg1 ns localhost


/etc/conf.d/named
Code:

# Set various named options here.
#
#OPTIONS=""

# Set this to the number of processors you want bind to use.
# Leave this unchanged if you want bind to automatically detect the number
#CPU="1"

# If you wish to run bind in a chroot:
# 1) un-comment the CHROOT= assignment, below. You may use
#    a different chroot directory but MAKE SURE it's empty.
# 2) run: emerge --config =<bind-version>
#
#CHROOT="/chroot/dns"

# Uncomment to enable binmount of /usr/share/GeoIP
#CHROOT_GEOIP="1"

# Uncomment the line below to avoid that the init script mounts the needed paths
# into the chroot directory.
# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".
#CHROOT_NOMOUNT="1"

# Uncomment this option if you have setup your own chroot environment and you
# don't want/need the chroot consistency check
#CHROOT_NOCHECK=1

# Default pid file location
PIDFILE="${CHROOT}/run/named/named.pid"

# Scheduling priority: 19 is the lowest and -20 is the highest.
# Default: 0
#NAMED_NICELEVEL="0"

# Uncomment rc_named_use/rc_named_after for the database you need.
# Its necessary to ensure the database backend will be started before named.

# MySQL
#rc_named_use="mysql"
#rc_named_after="mysql"

# PostgreSQL
#rc_named_use="pg_autovacuum postgresql"
#rc_named_after="pg_autovacuum postgresql"

# LDAP
#rc_named_use="ldap"
#rc_named_after="ldap"


/etc/bind/named.conf
Code:

acl "xfer" {
        none;
};

acl "trusted" {
        127.0.0.0/8;
        192.168.1.0/24;
        192.168.2.0/24;
        192.168.3.0/24;
        ::1/128;
};

key DHCP_UPDATER {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;
    secret "<pw>";
};

options {
        directory "/var/bind";
        pid-file "/run/named/named.pid";

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 { ::1; };
        listen-on { 127.0.0.1/8; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24;};

        allow-query {
                trusted;
        };

        allow-query-cache {
                trusted;
        };

        allow-recursion {
                trusted;
        };

        allow-transfer {
                none;
        };

        allow-update {
                none;
        };

        forward first;
        forwarders {
                127.0.0.1;              // DNS Local
                192.168.178.1;          // FritzBox
                80.69.96.12;            // UM DNS
                81.210.129.4;           // UM DNS
                8.8.8.8;                // Google Open DNS
                8.8.4.4;                // Google Open DNS
        };

        dnssec-enable yes;
        //dnssec-validation yes;
        dnssec-validation auto;

        //query-source address * port 53;
};

logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default { default_log; };
        category general { default_log; };
};

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { DHCP_UPDATER; };
zone "." in {
        type hint;
        file "/var/bind/named.cache";
};

zone "localhost" IN {
        type master;
        file "pri/localhost.zone";
        notify no;
};

zone "intern.rock.lan" IN {
        type master;
        file "pri/intern.rock.lan";
        allow-update {
                key DHCP_UPDATER;
        };
};

zone "extern.rock.lan" IN {
        type master;
        file "pri/extern.rock.lan";
        allow-update {
                key DHCP_UPDATER;
        };
};

zone "vpn.rock.lan" IN {
        type master;
        file "pri/vpn.rock.lan";
        allow-update {
                key DHCP_UPDATER;
        };
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "pri/1.168.192.zone";
        allow-update {
                key DHCP_UPDATER;
        };
};


zone "2.168.192.in-addr.arpa" {
        type master;
        file "pri/2.168.192.zone";
        allow-update {
                key DHCP_UPDATER;
        };
};

zone "3.168.192.in-addr.arpa" {
        type master;
        file "pri/3.168.192.zone";
        allow-update {
                key DHCP_UPDATER;
        };
};


/etc/bind/pri/localhost.zone
Code:

$TTL 1W
@       IN      SOA     localhost. root.localhost.  (
                                      2008122601 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      604800     ; Expire - 1 week
                                      86400 )    ; Minimum
@               IN      NS      localhost.
@               IN      A       127.0.0.1

@               IN      AAAA    ::1


/etc/bind/pri/intern.rock.lan
Code:

$TTL    86400
@       IN      SOA     ns.intern.rock.lan. root.intern.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.intern.rock.lan.
        IN      A       192.168.1.1

ns                      IN      A       192.168.1.1
intern.rock.lan.        IN      A       192.168.1.1


/etc/bind/pri/1.168.192.zone
Code:

$TTL    86400
@       IN      SOA     ns.intern.rock.lan. root.intern.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.intern.rock.lan.
1       IN      PTR     ns.intern.rock.lan.


/etc/bind/pri/extern.rock.lan
Code:

$TTL    86400
@       IN      SOA     ns.extern.rock.lan. root.extern.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.extern.rock.lan.
        IN      A       192.168.2.1

ns                      IN      A       192.168.2.1
extern.rock.lan.        IN      A       192.168.2.1


/etc/bind/pri/2.168.192.zone
Code:

$TTL    86400
@       IN      SOA     ns.extern.rock.lan. root.extern.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.extern.rock.lan.
1       IN      PTR     ns.extern.rock.lan.


/etc/bind/pri/vpn.rock.lan
Code:

$TTL    86400
@       IN      SOA     ns.vpn.rock.lan. root.vpn.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.vpn.rock.lan.
        IN      A       192.168.3.1

ns                      IN      A       192.168.3.1
vpn.rock.lan.           IN      A       192.168.3.1


/etc/bind/pri/3.168.192.zone
Code:

$TTL    86400
@       IN      SOA     ns.vpn.rock.lan. root.vpn.rock.lan. (
        20180206 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ; Default TTL
)

        IN      NS      ns.vpn.rock.lan.
1       IN      PTR     ns.vpn.rock.lan.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1775
Location: Oranienburg/Germany

PostPosted: Thu Feb 15, 2018 8:00 am    Post subject: Reply with quote

Hi,

everything looks good so far. Can you check the permissions of the files in /etc/bind/pri/? Since when a ddns update is running, the bind service tries to create a .jnl file there for the corresponding zone files.

Is your dhcp server configured for the ddns updates as well? Do you have your dhcp server settings set like in this debian howto: https://wiki.debian.org/DDNS#DHCP_Server_Configuration

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 8GB, 620GB
3rd: i5-4570, 16GB, 10TB
4th: Asus N61VN, 8GB, 120GB
5th: Cubietruck, 2GB, 160GB + NFS
6th: C2D T7200, 2GB, 16GB USB + NFS
7th: RPi3 1GB, 64GB USB
Back to top
View user's profile Send private message
Rocky007
n00b
n00b


Joined: 22 Dec 2014
Posts: 66

PostPosted: Thu Feb 15, 2018 8:36 am    Post subject: Reply with quote

ls -lah /etc/bind/pri
Code:

drwxr-x--- 2 root named 4,0K 14. Feb 08:46 .
drwxrwx--- 5 root named 4,0K 15. Feb 08:38 ..
-rw-r--r-- 1 root root     0 14. Feb 08:46 .keep_net-dns_bind-0
-rw-r--r-- 1 root named  269  8. Feb 09:03 1.168.192.zone
-rw-r--r-- 1 root named  293  8. Feb 09:03 2.168.192.zone
-rw-r--r-- 1 root root   281  9. Feb 08:23 3.168.192.zone
-rw-r--r-- 1 root root   292  8. Feb 00:21 extern.rock.lan
-rw-r--r-- 1 root named  297  8. Feb 00:20 intern.rock.lan
-rw-r----- 1 root named  426 14. Feb 08:46 localhost.zone
-rw-r--r-- 1 root root   281  9. Feb 08:22 vpn.rock.lan


/etc/dhcpd/dhcpd.conf
Code:

default-lease-time 600;
max-lease-time 7200;

ddns-update-style interim;
ddns-updates on;
update-static-leases on;
deny-client-update;

authoritative;

log-facility local7;

key "DHCP_UPDATER" {
        algorithm HMAC-MD5.SIG-ALG.REG.INT;
        secret "<pw>";
};

zone intern.rock.lan. {
        primary 127.0.0.1;
        key DHCP_UPDATER;
}

zone extern.rock.lan. {
        primary 127.0.0.1;
        key DHCP_UPDATER;
}

zone 1.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key DHCP_UPDATER;
}

zone 2.168.192.in-addr.arpa {
        primary 127.0.0.1;
        key DHCP_UPDATER;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.2 192.168.1.254;
        option routers 192.168.1.1;
        option broadcast-address 192.168.1.255;
        option domain-name "intern.rock.lan";
        option domain-name-servers ns.intern.rock.lan;
        option domain-search "intern.rock.lan";
        ddns-domainname "intern.rock.lan";
        ddns-rev-domainname "1.168.192.in-addr.arpa.";
        deny unknown-clients;
}

subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.2 192.168.2.254;
        option routers 192.168.2.1;
        option broadcast-address 192.168.2.255;
        option domain-name "extern.rock.lan";
        option domain-name-servers ns.extern.rock.lan;
        option domain-search "extern.rock.lan";
        ddns-domainname "extern.rock.lan";
        ddns-rev-domainname "2.168.192.in-addr.arpa.";
        allow unknown-clients;
}

host JUPITER {
        hardware ethernet 5c:e0:c5:ef:29:ff;
        fixed-address 192.168.1.3;
        ddns-hostname "JUPITER";
}

host VENUS {
        hardware ethernet c8:9c:dc:d1:b9:ba;
        fixed-address 192.168.1.4;
        ddns-hostname "VENUS";
}

host SGS7 {
        hardware ethernet 8c:f5:a3:7a:19:9c;
        fixed-address 192.168.1.5;
        ddns-hostname "SGS7";
}

host Switch {
        hardware ethernet 8c:3b:ad:1a:f8:81;
        fixed-address 192.168.2.254;
        ddns-hostname "Switch";
}


<pw> is the same in both files
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1775
Location: Oranienburg/Germany

PostPosted: Fri Feb 16, 2018 5:52 am    Post subject: Reply with quote

Can you do manual updates via "nsupdate"? Im not quite sure about the permission of your files. Maybe they need a review.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 8GB, 620GB
3rd: i5-4570, 16GB, 10TB
4th: Asus N61VN, 8GB, 120GB
5th: Cubietruck, 2GB, 160GB + NFS
6th: C2D T7200, 2GB, 16GB USB + NFS
7th: RPi3 1GB, 64GB USB
Back to top
View user's profile Send private message
Rocky007
n00b
n00b


Joined: 22 Dec 2014
Posts: 66

PostPosted: Fri Feb 16, 2018 7:26 am    Post subject: Reply with quote

No i cant...

Code:

echo "server 127.0.0.1
update add test.extern.rock.lan 3600 IN A 192.168.2.100
send
update add 2.168.192.in-addr.arpa 3600 IN PTR test.extern.rock.lan
send
quit
" | nsupdate -k /etc/bind/rndc.key


Code:

update failed: SERVFAIL
update failed: SERVFAIL


Code:

16-Feb-2018 08:25:49.475 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100
16-Feb-2018 08:25:49.475 general: error: pri/extern.rock.lan.jnl: create: permission denied
16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': error: journal open failed: unexpected error
16-Feb-2018 08:25:49.476 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.
16-Feb-2018 08:25:49.476 general: error: pri/2.168.192.zone.jnl: create: permission denied
16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': error: journal open failed: unexpected error
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1775
Location: Oranienburg/Germany

PostPosted: Fri Feb 16, 2018 8:19 am    Post subject: Reply with quote

Please change the permissions on /var/bind and all subdirs/files to user and group named. afterwards try again with nsupdate.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 8GB, 620GB
3rd: i5-4570, 16GB, 10TB
4th: Asus N61VN, 8GB, 120GB
5th: Cubietruck, 2GB, 160GB + NFS
6th: C2D T7200, 2GB, 16GB USB + NFS
7th: RPi3 1GB, 64GB USB
Back to top
View user's profile Send private message
Rocky007
n00b
n00b


Joined: 22 Dec 2014
Posts: 66

PostPosted: Fri Feb 16, 2018 8:33 am    Post subject: Reply with quote

Now it seems to work :)

Code:

16-Feb-2018 09:28:46.212 update-security: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 09:28:46.212 update: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100
16-Feb-2018 09:28:46.232 update-security: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved
16-Feb-2018 09:28:46.232 update: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.


But in the zone files i can't see the entries for this or is it inserted and removed automatically?
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1775
Location: Oranienburg/Germany

PostPosted: Fri Feb 16, 2018 8:43 am    Post subject: Reply with quote

This can take a while, thats why the ".jnl" files are created. All entries are written to these journal files first and a bit later via a commit to actual zone file.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 8GB, 620GB
3rd: i5-4570, 16GB, 10TB
4th: Asus N61VN, 8GB, 120GB
5th: Cubietruck, 2GB, 160GB + NFS
6th: C2D T7200, 2GB, 16GB USB + NFS
7th: RPi3 1GB, 64GB USB
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum