On 1. jan. 2012, at 23.40, Stuart Henderson wrote:
> On 2012-01-01, Pete Vickers <p...@systemnet.no> wrote:
>> snippet from /etc/named-gn.conf :
>> controls {
>> inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {"rndc-key";};
>> };
>>
>> then it also fails and complains thus:
>>
>> Jan 1 09:01:49 ns0 named[8504]: [child]: disallowed port 954
>> Jan 1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add
command
>> channel 10.20.30.2#954: permission denied
>> Jan 1 09:01:49 ns0 named[8504]: running
>>
>> So I guess that named's (unprivileged?) child does not honour (inherit?)
the
>> parent's rdomain, and thus cannot bind to either rdomain '0' or '1',
>> succesfully ?
>
> The child process only allows binding to ports 53/953/921, see
> usr.sbin/bind/lib/isc/unix/privsep.c line 190.
>
> I'm pretty sure the child will be inheriting the rdomain from the process
> which forked it.
>
ahh. Indeed. Once I used an approved port, it appear happy even in the
non-defualt table:
root@ns0 ~ # route -T 1 exec rndc -s 10.20.30.2 status
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
thanks for the clue.
/Pete
