Authority and forwarding, but not recursion/iteration

2021-03-05 Thread Marki 

Hello,

I am seeking a combination of either a combined configuration on one, or 
a config of several different DNS servers together to achieve the following:
* Some clients should be able to resolve authoritative local zones as 
well as some forwarded zones.
* Other clients should be able to resolve all of that _plus_ be able to 
make recursive queries to the internet (or use a global forwarder).
All hosts use the same DNS servers, this should not be made about the 
clients but rather be configurable on the server.


Now the problems are the following:
* Since I need forwarders I can't turn off recursion.
* Since I can't turn off recursion I can't prevent it to go and try to 
resolve from root DNS.


How do I do one (local authority and forwarders) but not the other 
(iterative lookups on the Internet)?


Thanks,

Marki

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone update problems, continued

2021-03-05 Thread Grant Taylor via bind-users 

On 3/5/21 1:41 PM, Bruce Johnson wrote:
Turne out to be a dumdum mistake on my part. SELinux was set to 
enforce…set it to permissive and voila! the .jnl file was created.


Ah.

That sounds like an SELinux policy problem.  SELinux /should/ allow 
named to create journal files.


A non-default location may be an contributing factor.


I coulda sworn I’d fixed that before...


I would not be surprised if a system update accidentally overwrote a 
tweak to a SELinux policy.


If you can't tell, I prefer to leave things enabled at the security 
posture they are at and provide exceptions for things that need to be 
allowed.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone update problems, continued

2021-03-05 Thread Bruce Johnson 
Turne out to be a dumdum mistake on my part. SELinux was set to enforce…set it 
to permissive and voila! the .jnl file was created. 

I coulda sworn I’d fixed that before...

> On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users 
>  wrote:
> 
> On 3/5/21 12:07 PM, Bruce Johnson wrote:
>> Fixing the permissions and restarting named got dynamic updating working 
>> again, but new systems (ie names that are NOT already in the Zone file ) are 
>> throwing errors about the journal file: error: journal open failed: 
>> unexpected error
> 
> It seems like you still have a permissions error.
> 
> Can the user that named is running as create new files in the directory where 
> the zone is stored?
> 
>> Is there a specific command to create the .jnl file? I thought named created 
>> it automatically as needed. (at least the named-journalprint man page 
>> indicates this…)
> 
> I don't remember ever needing to manually create a journal (.jnl) file. I 
> think that named always did it.
> 
> Named will create, modify, and remove the journal file as needed.  rndc 
> freeze will sync the in memory zone contents to the journal file.  rndc sync 
> will sync the journal file to the main zone file.  The -clean option to rndc 
> sync will remove the journal file.  --  Don't forget to rndc thaw a frozen 
> zone to start allowing dynamic updates again.
> 
> Beyond that, I've not needed to worry about the journal file or it's contents.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone update problems, continued

2021-03-05 Thread Bruce Johnson 
named process is running as ’named’:

named  45631  1.0 11.8 411576 220744 ?   Ssl  11:28   0:57 
/usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

if I run su --shell=/bin/sh named

I can create files  in the directory the journal file should be.



On Mar 5, 2021, at 12:39 PM, Grant Taylor via bind-users 
mailto:bind-users@lists.isc.org>> wrote:

On 3/5/21 12:07 PM, Bruce Johnson wrote:
Fixing the permissions and restarting named got dynamic updating working again, 
but new systems (ie names that are NOT already in the Zone file ) are throwing 
errors about the journal file: error: journal open failed: unexpected error

It seems like you still have a permissions error.

Can the user that named is running as create new files in the directory where 
the zone is stored?

Is there a specific command to create the .jnl file? I thought named created it 
automatically as needed. (at least the named-journalprint man page indicates 
this…)

I don't remember ever needing to manually create a journal (.jnl) file. I think 
that named always did it.

Named will create, modify, and remove the journal file as needed.  rndc freeze 
will sync the in memory zone contents to the journal file.  rndc sync will sync 
the journal file to the main zone file.  The -clean option to rndc sync will 
remove the journal file.  --  Don't forget to rndc thaw a frozen zone to start 
allowing dynamic updates again.

Beyond that, I've not needed to worry about the journal file or it's contents.



--
Grant. . . .
unix || die

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone update problems, continued

2021-03-05 Thread Grant Taylor via bind-users 

On 3/5/21 12:07 PM, Bruce Johnson wrote:
Fixing the permissions and restarting named got dynamic updating 
working again, but new systems (ie names that are NOT already in 
the Zone file ) are throwing errors about the journal file: error: 
journal open failed: unexpected error


It seems like you still have a permissions error.

Can the user that named is running as create new files in the directory 
where the zone is stored?


Is there a specific command to create the .jnl file? I thought named 
created it automatically as needed. (at least the named-journalprint 
man page indicates this…)


I don't remember ever needing to manually create a journal (.jnl) file. 
I think that named always did it.


Named will create, modify, and remove the journal file as needed.  rndc 
freeze will sync the in memory zone contents to the journal file.  rndc 
sync will sync the journal file to the main zone file.  The -clean 
option to rndc sync will remove the journal file.  --  Don't forget to 
rndc thaw a frozen zone to start allowing dynamic updates again.


Beyond that, I've not needed to worry about the journal file or it's 
contents.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone update problems, continued

2021-03-05 Thread Bruce Johnson 
I”m running it as named-chroot, and named is rw permissions at the /var/named

This is the directory listing:

[root@mydns named]# ls -l
total 16
drwxr-x---. 7 named named   61 Oct  9 13:30 chroot
drwxrwx---. 2 named named  127 Feb 28 03:27 data
drwxrwx---. 2 named named   60 Mar  4 13:57 dynamic
drwxr-xr-x. 2 named named   31 Mar  2 13:46 log
-rw-r-. 1 named named 2253 Sep  9 09:48 named.ca
-rw-r-. 1 named named  152 Sep  9 09:48 named.empty
-rw-r-. 1 named named  152 Sep  9 09:48 named.localhost
-rw-r-. 1 named named  168 Sep  9 09:48 named.loopback
drwxrwx---. 2 named named6 Sep  9 09:47 slaves

On Mar 5, 2021, at 12:19 PM, Gregory Sloop 
mailto:gr...@sloop.net>> wrote:

You may need to set permissions on not just the files, but the directory too. 
If it didn't have permissions to existing files, I suspect the parent directory 
doesn't allow that same user/group to create files either - so the jnl files 
don't get created.

-Greg


BJ> Fixing the permissions and restarting named got dynamic updating
BJ> working again, but new systems (ie names that are NOT already in
BJ> the Zone file ) are throwing errors about the journal file: error:
BJ> journal open failed: unexpected error

BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 
'DYN.Zone.COM/IN': deleting
BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM' 

BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 
'DYN.Zone.COM/IN': deleting
BJ> rrset at 'dhbfswrkgrps1.DYN.Zone.COM' A
BJ> Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0
BJ> 10.128.206.151#58512: updating zone 
'DYN.Zone.COM/IN': adding an
BJ> RR at 'dhbfswrkgrps1.DYN.Zone.COM' A 
10.128.206.151
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 
'DYN.Zone.COM/IN': deleting
BJ> rrset at 'NIC-COPIT.DYN.Zone.COM' 
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 
'DYN.Zone.COM/IN': deleting
BJ> rrset at 'NIC-COPIT.DYN.Zone.COM' A
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 
'DYN.Zone.COM/IN': adding an
BJ> RR at 'NIC-COPIT.DYN.Zone.COM' A 
128.196.45.228
BJ> Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20
BJ> 128.196.45.228#49190: updating zone 
'DYN.Zone.COM/IN': error:
BJ> journal open failed: unexpected error


BJ> Is there a specific command to create the .jnl file? I thought
BJ> named created it automatically as needed. (at least the
BJ> named-journalprint man page indicates this…)


--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamic zone update problems, continued

2021-03-05 Thread Bruce Johnson 
Fixing the permissions and restarting named got dynamic updating working again, 
but new systems (ie names that are NOT already in the Zone file ) are throwing 
errors about the journal file: error: journal open failed: unexpected error

Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 
10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 
'dhbfswrkgrps1.DYN.Zone.COM' 
Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 
10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': deleting rrset at 
'dhbfswrkgrps1.DYN.Zone.COM' A
Mar  5 11:44:34 mydns named[45631]: client @0x7fa31f4178d0 
10.128.206.151#58512: updating zone 'DYN.Zone.COM/IN': adding an RR at 
'dhbfswrkgrps1.DYN.Zone.COM' A 10.128.206.151
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 
128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 
'NIC-COPIT.DYN.Zone.COM' 
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 
128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': deleting rrset at 
'NIC-COPIT.DYN.Zone.COM' A
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 
128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': adding an RR at 
'NIC-COPIT.DYN.Zone.COM' A 128.196.45.228
Mar  5 11:45:27 mydns named[45631]: client @0x7fa31f3f7c20 
128.196.45.228#49190: updating zone 'DYN.Zone.COM/IN': error: journal open 
failed: unexpected error


Is there a specific command to create the .jnl file? I thought named created it 
automatically as needed. (at least the named-journalprint man page indicates 
this…)  


-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users