0

After upgrading a CentOS 7 server to AlmaLinux 9, and BIND along with it, I receive a new error message without changing (bind/named) configuration files:

systemctl status named × named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Mon 2024-07-29 17:21:47 UTC; 19min ago Process: 948 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Process: 949 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE) CPU: 33ms Jul 29 17:21:47 ns42.example.org named[950]: directory '/var/named' is not writable Jul 29 17:21:47 ns42.example.org named[950]: /etc/named.conf:22: parsing failed: permission denied Jul 29 17:21:47 ns42.example.org loading configuration: permission denied Jul 29 17:21:47 ns42.example.org exiting (due to fatal error)

Why would (this newer version of) named need to write its zone files?

This is a non-recursive secondary/backup name server and this instance of BIND/named is not to change zones.

So I suppose the question could be: How can I tell BIND not to try to write into its zone directory and not to complain about not being able to?

Bind version is bind-9.16.23-18.el9_4.1.x86_64

EDIT: Out of curiosity I temporarily made the folder writable by the named group and started the service. This is what it wrote:

-rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/localhost_resolver.mkeys.jnl -rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/external.mkeys.jnl -rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/internal.mkeys.jnl -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/internal.mkeys -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/external.mkeys -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/localhost_resolver.mkeys

So, these are some type of journal files. How can disable writing these journal entries as the zones are read-only anyway?

Improve this question
4
  • I've always configured Bind with a writable working directory. Bind reference (bind9.readthedocs.io/en/latest/reference.html) says "<...>For this reason, among others, the working directory should be always be writable by named. <...>" so I guess it's by design, regardless of operation mode. Commented Jul 30, 2024 at 9:33
  • @Edward Thanks. Perhaps these temporary files could be written elsewhere? In my setup they are not needed and security hardening principles say a daemon cannot be allowed change its own configuration. Commented Jul 30, 2024 at 9:49
  • If you are running SELinux in enforced mode, bind can't change it's own config even when it's writable because the named_t domain isn't allowed write on named_conf_t file contexts: sesearch --allow -s named_t -t named_conf_t -c file shows readonly access. But then you need to be sure that your config files have the named_conf_t context. By default, that should be true. Commented Jul 30, 2024 at 13:22
  • Good point. SELinux is set to enforcing but could named by accident/hack write zone files (db)? Those are not strictly config files but I want to make sure these are not changed or deleted. Commented Jul 30, 2024 at 17:18

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.