Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
On Mon, Aug 03, 2015 at 10:36:25PM -0500, Lawrence K. Chen, P.Eng. wrote: This unfortunately looks like the thread for me to jump on to I missed installing the last two 9.9...-p# patches, first time I built everything and was pretty much ready to do it, and then forgot all about it due to health issues. More recent one...I had I hope you're well now. got it built for Solaris x64 and was about to work on building it for Solaris SPARC when the most recent one appeared. This one carried a much strong get things patched (to me at first, then higher ups started jumping around...) It's good that you have deployed the fix for CVE-2015-5477. Those who are ignorant or foolish would say this shows the problems with free software. But that's opposed to the truth: these security reports are the strength of free software. Anyone can hack at it looking for bugs. And then those bugs get fixed. Who knows what bugs lurk inside black-box proprietary solutions? Worse, who knows if they'd be fixed? Security is in openness, standing up to the light of scrutiny. But, it turned out to be a huge mess to upgrade. The first time I ran into this error, were some really old mistakes where the admin had copy and pasted a bunch of similar zones...and missed adjusting some of the files. Since on the master side they all come from the same fileit probably didn't cause any noticeable problems for the slaves or clients. However, install upgrade on our master server...knocked it out, so I'm here looking to see what the proper fix for my situation is. This seems to be a bug fix (not allowing named to share writeable files) which has brought a lot of broken configurations out. Oops. Basically, no two slave zones (even nominally the same zone, in a different view) should EVER share the same file. Master zones can get away with file sharing, but ONLY if named does not write to the file (no allow-update, update-policy, nor auto-dnssec.) Looking for a valid easy fix here ;) Partly because coming soon they're going to demolish the DNS infrastructure that I got saddled with and feel like I done a pretty good job at re-engineering it to meet all the demands of it. But, I'm the last legacy unix systems administrator here Sad. There's nothing legacy about Unix, though. Sounds like the salesmen are winning out over the technicians, in terms of getting management to set policy. Anyways...the problem is because we had turned out existing master server into doing split/stealth (started out stealth...) DNS, while having it continue to serve as slave to delegated subdomains. So that those subdomains are propagated to our external facing slave servers. So that's where the problem comes inthe internal authoritative+ nameservers having the master collect secondary zone data from them...on the Internal view. But, then having to send that information to nameservers that hit the external view of the master. The way to select a different view on the master is to use TSIG keys. https://kb.isc.org/article/AA-00295/ So, until a few hours agoit was include a file containing all the delegated (sub)domains into both viewscausing both sides to be working off of the same file. It would require some reworking of things, but you might be interested in the new BIND 9.10 feature of in-view zone option. This lets you literally include a zone from another view. See BIND 9 ARM chapter 6, zone Statement Definition and Usage, for details. WHich seemed to work fine. As only one side is getting updates, the other side is just to feed our outside facing slaves. Well, this update wouldn't go for that. So, cloning the file and doing a global search and destroythe external view is looking zone files in a directory that is emtpy, while the internal side continus as is. To have something for the external nameservers to transfer (hopefully), I'm doing a regular sync of the file 'sec' to 'ext'. Not totally sure that's workingbut nothing filing up logs about it. So, is what I did something that'll hold...or is there an easy proper solution to this? Slave zones should be transferred using DNS. In a stealth master case, you need to populate also-notify lists, but perhaps in your case you can share some of that configuration with global or view level settings. (Better than having to set everything per zone.) To hold us/me over until they decide if its going to be BlueCat or Infoblox that replaces everything. IIUC both of those are BIND under the hood. :) Sadly, I missed both presentations due to other issuesmore sad because I found my named.iner shirt, which I was going to wear to the second presentation ;) Haha, I have one of those also. Really cool. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
Am 03.08.2015 um 08:08 schrieb Mukund Sivaraman: Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15431: writeable file 'data/bodolandgov.hosts': already in use: /etc/nicnet2007.govdomain:15431 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15445: writeable file 'data/cexhyd2gov.hosts': already in use: /etc/nicnet2007.govdomain:15445 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15452: writeable file 'data/bmcsagaredu.hosts': already in use: /etc/nicnet2007.govdomain:15452 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15459: writeable file 'data/crckozhikodegov.hosts': already in use: /etc/nicnet2007.govdomain:15459 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15466: writeable file 'data/wblcgov.hosts': already in use: /etc/nicnet2007.govdomain:15466 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15473: writeable file 'data/precursorsncbgov.hosts': already in use: /etc/nicnet2007.govdomain:15473 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15480: writeable file 'data/icggov.hosts': already in use: /etc/nicnet2007.govdomain:15480 Aug 3 09:59:34 govindnsvm named[7436]: loading configuration: failure Aug 3 09:59:34 govindnsvm named[7436]: exiting (due to fatal error) See if you have used these data/*.host as values with the file option multiple times in your named configuration. It may be that you have included a config snippet multiple times. Mukund Why use the file option at all on a slave? Of course it is possible, but why should one force the file name of a slave zone? That configuration option is just needed on the master. Bind will assign a filename for your slave zone on its own and you can be sure it will not assign the same name twice ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
Am 03.08.2015 um 16:50 schrieb Heiko Richter: Am 03.08.2015 um 08:08 schrieb Mukund Sivaraman: Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15431: writeable file 'data/bodolandgov.hosts': already in use: /etc/nicnet2007.govdomain:15431 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15445: writeable file 'data/cexhyd2gov.hosts': already in use: /etc/nicnet2007.govdomain:15445 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15452: writeable file 'data/bmcsagaredu.hosts': already in use: /etc/nicnet2007.govdomain:15452 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15459: writeable file 'data/crckozhikodegov.hosts': already in use: /etc/nicnet2007.govdomain:15459 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15466: writeable file 'data/wblcgov.hosts': already in use: /etc/nicnet2007.govdomain:15466 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15473: writeable file 'data/precursorsncbgov.hosts': already in use: /etc/nicnet2007.govdomain:15473 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15480: writeable file 'data/icggov.hosts': already in use: /etc/nicnet2007.govdomain:15480 Aug 3 09:59:34 govindnsvm named[7436]: loading configuration: failure Aug 3 09:59:34 govindnsvm named[7436]: exiting (due to fatal error) See if you have used these data/*.host as values with the file option multiple times in your named configuration. It may be that you have included a config snippet multiple times. Why use the file option at all on a slave? Of course it is possible, but why should one force the file name of a slave zone? That configuration option is just needed on the master. Bind will assign a filename for your slave zone on its own and you can be sure it will not assign the same name twice and will it remove the file also automatically if the zone no longer exists in the config? our backends as example are naming the zones domain.tld.dns on master and slave and if we remove a domain the files on both are deleted too before reload named signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
This unfortunately looks like the thread for me to jump on to I missed installing the last two 9.9...-p# patches, first time I built everything and was pretty much ready to do it, and then forgot all about it due to health issues. More recent one...I had got it built for Solaris x64 and was about to work on building it for Solaris SPARC when the most recent one appeared. This one carried a much strong get things patched (to me at first, then higher ups started jumping around...) But, it turned out to be a huge mess to upgrade. The first time I ran into this error, were some really old mistakes where the admin had copy and pasted a bunch of similar zones...and missed adjusting some of the files. Since on the master side they all come from the same fileit probably didn't cause any noticeable problems for the slaves or clients. However, install upgrade on our master server...knocked it out, so I'm here looking to see what the proper fix for my situation is. Looking for a valid easy fix here ;) Partly because coming soon they're going to demolish the DNS infrastructure that I got saddled with and feel like I done a pretty good job at re-engineering it to meet all the demands of it. But, I'm the last legacy unix systems administrator here Anyways...the problem is because we had turned out existing master server into doing split/stealth (started out stealth...) DNS, while having it continue to serve as slave to delegated subdomains. So that those subdomains are propagated to our external facing slave servers. So that's where the problem comes inthe internal authoritative+ nameservers having the master collect secondary zone data from them...on the Internal view. But, then having to send that information to nameservers that hit the external view of the master. So, until a few hours agoit was include a file containing all the delegated (sub)domains into both viewscausing both sides to be working off of the same file. WHich seemed to work fine. As only one side is getting updates, the other side is just to feed our outside facing slaves. Well, this update wouldn't go for that. So, cloning the file and doing a global search and destroythe external view is looking zone files in a directory that is emtpy, while the internal side continus as is. To have something for the external nameservers to transfer (hopefully), I'm doing a regular sync of the file 'sec' to 'ext'. Not totally sure that's workingbut nothing filing up logs about it. So, is what I did something that'll hold...or is there an easy proper solution to this? To hold us/me over until they decide if its going to be BlueCat or Infoblox that replaces everything. Sadly, I missed both presentations due to other issuesmore sad because I found my named.iner shirt, which I was going to wear to the second presentation ;) There were a couple of other interruptions in my upgrading my 20 servers, but I don't recall what the issue was with those now. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally On 2015-08-03 10:06, Reindl Harald wrote: Am 03.08.2015 um 16:59 schrieb Anand Buddhdev: On 03/08/15 16:50, Heiko Richter wrote: Hi Heiko, Why use the file option at all on a slave? If you don't use the file option on a slave, then BIND does not write the zone to disk. This is okay for a small number of small zones. But if you have many zones, or they are large, then you usually want to save a copy of the zone to disk, so that at restart, BIND can load the zones in quickly and load them at all in a acceptable timeframe if it doesn ot save them to disk as you said and you have some hundret zones you likely exceed transfer ratelimits and it takes unacceptable long until you slave responds while clients already ask him the next problem with not having them on disk is: god beware if your master is down and due analyzes or before you recognize the problem you restart your slave named or the server ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15431: writeable file 'data/bodolandgov.hosts': already in use: /etc/nicnet2007.govdomain:15431 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15445: writeable file 'data/cexhyd2gov.hosts': already in use: /etc/nicnet2007.govdomain:15445 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15452: writeable file 'data/bmcsagaredu.hosts': already in use: /etc/nicnet2007.govdomain:15452 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15459: writeable file 'data/crckozhikodegov.hosts': already in use: /etc/nicnet2007.govdomain:15459 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15466: writeable file 'data/wblcgov.hosts': already in use: /etc/nicnet2007.govdomain:15466 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15473: writeable file 'data/precursorsncbgov.hosts': already in use: /etc/nicnet2007.govdomain:15473 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15480: writeable file 'data/icggov.hosts': already in use: /etc/nicnet2007.govdomain:15480 Aug 3 09:59:34 govindnsvm named[7436]: loading configuration: failure Aug 3 09:59:34 govindnsvm named[7436]: exiting (due to fatal error) See if you have used these data/*.host as values with the file option multiple times in your named configuration. It may be that you have included a config snippet multiple times. Mukund pgpROt9HComlc.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
Hi, Thanks Mukund for kind help. Problem has been resolved .. Thanks regards Prakash Chand - Original Message - From: Mukund Sivaraman m...@isc.org Date: Monday, August 3, 2015 11:51 am Subject: Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure To: prakash prak...@nic.in Cc: bind-users@lists.isc.org Hi Prakash On Mon, Aug 03, 2015 at 10:14:50AM +0530, prakash wrote: Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15424: writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15431: writeable file 'data/bodolandgov.hosts': already in use: /etc/nicnet2007.govdomain:15431 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15445: writeable file 'data/cexhyd2gov.hosts': already in use: /etc/nicnet2007.govdomain:15445 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15452: writeable file 'data/bmcsagaredu.hosts': already in use: /etc/nicnet2007.govdomain:15452 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15459: writeable file 'data/crckozhikodegov.hosts': already in use: /etc/nicnet2007.govdomain:15459 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15466: writeable file 'data/wblcgov.hosts': already in use: /etc/nicnet2007.govdomain:15466 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15473: writeable file 'data/precursorsncbgov.hosts': already in use: /etc/nicnet2007.govdomain:15473 Aug 3 09:59:34 govindnsvm named[7436]: /etc/nicnet2007.govdomain:15480: writeable file 'data/icggov.hosts': already in use: /etc/nicnet2007.govdomain:15480 Aug 3 09:59:34 govindnsvm named[7436]: loading configuration: failure Aug 3 09:59:34 govindnsvm named[7436]: exiting (due to fatal error) See if you have used these data/*.host as values with the file option multiple times in your named configuration. It may be that you have included a config snippet multiple times. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
On 03/08/15 16:50, Heiko Richter wrote: Hi Heiko, Why use the file option at all on a slave? If you don't use the file option on a slave, then BIND does not write the zone to disk. This is okay for a small number of small zones. But if you have many zones, or they are large, then you usually want to save a copy of the zone to disk, so that at restart, BIND can load the zones in quickly. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
Am 03.08.2015 um 16:59 schrieb Anand Buddhdev: On 03/08/15 16:50, Heiko Richter wrote: Hi Heiko, Why use the file option at all on a slave? If you don't use the file option on a slave, then BIND does not write the zone to disk. This is okay for a small number of small zones. But if you have many zones, or they are large, then you usually want to save a copy of the zone to disk, so that at restart, BIND can load the zones in quickly and load them at all in a acceptable timeframe if it doesn ot save them to disk as you said and you have some hundret zones you likely exceed transfer ratelimits and it takes unacceptable long until you slave responds while clients already ask him the next problem with not having them on disk is: god beware if your master is down and due analyzes or before you recognize the problem you restart your slave named or the server signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
