On 1. jan. 2012, at 23.40, Stuart Henderson wrote: > On 2012-01-01, Pete Vickers <p...@systemnet.no> wrote: >> snippet from /etc/named-gn.conf : >> controls { >> inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {"rndc-key";}; >> }; >> >> then it also fails and complains thus: >> >> Jan 1 09:01:49 ns0 named[8504]: [child]: disallowed port 954 >> Jan 1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add command >> channel 10.20.30.2#954: permission denied >> Jan 1 09:01:49 ns0 named[8504]: running >> >> So I guess that named's (unprivileged?) child does not honour (inherit?) the >> parent's rdomain, and thus cannot bind to either rdomain '0' or '1', >> succesfully ? > > The child process only allows binding to ports 53/953/921, see > usr.sbin/bind/lib/isc/unix/privsep.c line 190. > > I'm pretty sure the child will be inheriting the rdomain from the process > which forked it. >
ahh. Indeed. Once I used an approved port, it appear happy even in the non-defualt table: root@ns0 ~ # route -T 1 exec rndc -s 10.20.30.2 status number of zones: 3 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running thanks for the clue. /Pete