On 08/28/2015 01:58 PM, Rowland Penny wrote:> On 28/08/15 18:17, Robert Moskowitz wrote:
>> Bind if failing with:
>>
>> include "/var/lib/samba/private/named.conf";
>>
>> which has:
>>
>> # more /var/lib/samba/private/named.conf
>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
>> support.
>> #
>> # This file should be included in your main BIND configuration file
>> #
>> # For example with
>> # include "/var/lib/samba/private/named.conf";
>>
>> #
>> # This configures dynamically loadable zones (DLZ) from AD schema
>> # Uncomment only single database line, depending on your BIND version
>> #
>> dlz "AD DNS Zone" {
>> # For BIND 9.8.x
>> # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>>
>> # For BIND 9.9.x
>> database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>>
>> # For BIND 9.10.x
>> # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
>> };
>>
>> And my bind is 9.9.4-18
>>
>> Of course if I comment out this include, forwarding is not working so
>> there is still something wrong with the basic /etc/named.conf
>> (previously I was using my test network DNS for this system, not its
>> own bind).
>>
>>
>>
>
> Does the bind user have the rights to read the included named.conf ?
The files have general read permissions. And when I had the
named.conf.updates included I got a message that update-policy is not a
supported option:
Aug 28 14:03:17 homebase.home.htt named-checkconf[3761]:
/var/lib/samba/private/named.conf.update:2: unknown option
'update-policy'
I am beginning to suspect /usr/lib/samba/bind9/dlz_bind9_9.so
> Can we possibly see your bind conf files ?
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need
to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable access
control to limit queries to your legitimate users. Failing to do
so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders {
192.168.192.5;
};
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
# tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
# include "/var/lib/samba/private/named.conf";
# include "/var/lib/samba/private/named.conf.update";
# more /var/lib/samba/private/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
};
# more /var/lib/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
grant HOME.HTT ms-self * A AAAA;
grant Administrator at HOME.HTT wildcard * A AAAA SRV CNAME;
grant HOMEBASE$@home.htt wildcard * A AAAA SRV CNAME;
};
I am trying to find an old namecaching named.conf I had some many years
ago....