Re: Bind Zone Transfer Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jul 04, 2006 at 01:12:28AM -0400, Todd Zullinger wrote:
> Charles Curley wrote:
> >> That's one solution I found for someone having the same problem and
> >> it makes sense, as right now your secondary is trying to write the
> >> localdomain file to /var/named, which it won't have permission to
> >> write to by default.
> > 
> > Well, it *should*. The files there are root:named. But that explains
> > it, doh. The files have permissions of -rw-r-----, so all I needed
> > to do was change that.
> 
> The files have those permissions, but the directory itself isn't
> writable by named.
> 
> > Is this a bug in bind, or rather in the bind RPM package? I'm
> > running this in the chroot jail provided by the bind-chroot package.
> 
> Neither, AFAICT.  It's by design.  Slaves are meant to go in the
> slaves subdir, with is writable by named.  This is for security.  It
> limits the amount of damage someone can do with a bind exploit by
> limiting the permissions the named user/group has.  (Not that bind has
> ever had remote exploits. ;)

Good enough.


> 
> I think you'll want to fiddle with the settings for notify and/or
> also-notify[1]:

> 
> It seems to me that if you set notify to no in the zone config for
> localdomain on the slave, that would prevent it from trying to notify
> itself.  But I'm going on reading the manual, not on having done this
> within a reasonable period of time in the past.

Yep. In the options stanza, I added "notify no;" and the error message
went away.

> 
> >> Relying on government to protect your privacy is like asking a peeping
> >> tom to install your window blinds.
> >>     -- John Barlow, co-founder of EFF
> > 
> > 
> > Good one. From whom do they think I want to protect my privacy,
> > anyway.
> 
> Yourself?  Isn't that who the government is always protecting you
> from?

Oh, yeah, thanks. I had forgotten how noble and selfless our lords and
masters are.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB

Attachment: pgpgPgsBhhUDX.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux