bind configuration/setup question
Hello, Setup bind-9.9.2-P2 on a solaris 10 system using zones (an oracle implementation of OS virtualization), with a dns data/configuration zone and a dns zone. The dns data zone is on a private network and has the dns data tables for bind (directory where data files stored in named.conf options area), the bind installation, and bind configuration file, named.conf. The dns zone is on the internet routable public network, and has the dns data, bind installation, and bind configuration file available to it in a read only file system. Figured that since we have successfully run earlier versions of bind on dns servers with the data directory and data files as read only to the userid bind runs as, this would also work, and provide the added benefit of preventing the OS of the zone running bind on the public network from being able modify the data area at all. The dns server using this configuration seems to be running fine, but each time bind re-reads the named.conf file these messages appear in named.log : 28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded 28-Aug-2013 12:12:37.572 general: notice: all zones loaded 28-Aug-2013 12:12:37.573 general: notice: running 28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result: 30: Read-only file system 28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result: 30: Read-only file system Is this error something to be worried about, or is it more of an info message? Also, is much even gained security wise by disallowing the OS to write to the dns data area? This particular error can be fixed by separating the dns data directory from the bind configuration and bind installation, and putting it on a writable file system for the public dns zone, but if the above error is only a warning thinking of keeping the data as read only also. Any suggestions are appreciated. Thanks *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration/setup question
Alan, None of the files you listed (bind.keys, managed-keys.bind and managed-keys.bind.jnl) are in the bind installation directory, or the chroot that named is run in. I did add the following line in the named.conf file : managed-keys-directory "/var/log"; where /var/log is a writable directory for the userid named is run as. Re-hit the process with a kill -1 name.pid and the same errors are in the log file also touched blank managed-keys.bind and managed-keys.bind.jnl files in /var/log then re-hit the process with the same results. When I change the database directory to an OS writable directory in named.conf with this line in the options block: directory "/var/log/namedb"; // Directory where data files are stored the errors do not show up in the logs, but the database files are now writable to the OS. Note user permissions are set so the database files in /var/log/namedb and the/var/log/namedb directory is read only for the userid named is run as. Did I use the correct syntax for the managed-keys-directory options line, or is the problem there is not bind.keys file with the managed-keys statements? *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed From: Alan Clegg To: mm half Cc: "bind-users@lists.isc.org" Sent: Wednesday, August 28, 2013 1:34 PM Subject: Re: bind configuration/setup question On Aug 28, 2013, at 1:29 PM, Alan Clegg wrote: > > I believe that what you are seeing is the result of BIND 9.9 doing more > things "automatically", including bringing in a set of DNSSEC trust anchors > (root and DLV) and not being able to create the file. > > You should be able to use the option "bindkeys-file" to set a location that > is writable for this file. And as soon as I sent this I realized that I'd goofed. bind.keys is created on install (it is part of the problem, however). This file contains "managed-keys" statements that I refer to below (and it was supposed to be "keystore" not "keystone" -- spellcheck will be the death of the computer industry). > It's also going to happen if you use managed-keys, as there is a "keystone" > created that needs to be updated. See the "managed-keys-directory" option. This is where the problem lies. The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material. Set "managed-keys-directory" to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
verifying bind-9.10.0 download
Hello, I have downloaded bind-9.10.0.tar.gz from the ISC download site, imported in the pgpkey2013.txt located at: https://www.isc.org/downloads/software-support-policy/openpgp-key/ , and can't seem to get any of the signature files to pass the verify test using gpg : gpg --import pgpkey2013.txt gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 189CDBC5: public key "Internet Systems Consortium, Inc. (Signing key, 2013) " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg --verify bind-9.10.0.tar.gz.asc bind-9.10.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Apr 29 16:12:28 2014 EDT using RSA key ID 189CDBC5 gpg: BAD signature from "Internet Systems Consortium, Inc. (Signing key, 2013) " gpg --verify bind-9.10.0.tar.gz.sha512.asc bind-9.10.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Apr 29 16:12:25 2014 EDT using RSA key ID 189CDBC5 gpg: BAD signature from "Internet Systems Consortium, Inc. (Signing key, 2013) " gpg --verify bind-9.10.0.tar.gz.sha256.asc bind-9.10.0.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Apr 29 16:12:26 2014 EDT using RSA key ID 189CDBC5 gpg: BAD signature from "Internet Systems Consortium, Inc. (Signing key, 2013) " I am sure its a user error mistake, but wanted to verify other bind users are able to verify the downloaded files correctly, before digging any deeper into the problem. If anyone has been able to verify the latest stable release using the posted keys, please let me know. Thanks, *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: verifying bind-9.10.0 download
Thanks Evan. Corrupted downloads. Had to change the default gateway to get a valid source download. On Friday, May 2, 2014 9:07 PM, Evan Hunt wrote: On Fri, May 02, 2014 at 05:50:45PM -0700, mm half wrote: > I have downloaded bind-9.10.0.tar.gz from the ISC download site, imported in > the pgpkey2013.txt located at: > https://www.isc.org/downloads/software-support-policy/openpgp-key/ , and > can't seem to get any of the signature files to pass the verify test using > gpg : > > > gpg --verify bind-9.10.0.tar.gz.asc bind-9.10.0.tar.gz > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: Signature made Tue Apr 29 16:12:28 2014 EDT using RSA key ID 189CDBC5 > gpg: BAD signature from "Internet Systems Consortium, Inc. (Signing key, > 2013) " Works fine for me. Check the fingerprint on the tarball, it should be: SHA256(bind-9.10.0.tar.gz)= acc2f5cc58c121f927e02c23e7e3e2e4876139eaac4a9df71800d4a38917c887 -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
