Something's up with BIND9...slave zone giving SERVAIL for all queries in domain

Question

I've got a domain set up with bind9 on Debian Lenny acting as a slave to my DNS hosting provider's servers. The exact circumstances are I think irrelevant, but I have allowed transfers out to my server's IP at my registrar/DNS host's web interface. This is in my /etc/bind/named.conf.local:

zone "wanners.net" in{
  type slave;
  file "/etc/bind/zones/slave.wanners.net.db";
  masters {64.68.200.91;};
};

And have an empty file at the path mentioned. I see this in /etc/log/syslog after starting bind9:

Jan 23 22:09:46 wanners named[14828]: starting BIND 9.6-ESV-R3 -u bind
Jan 23 22:09:46 wanners named[14828]: built with '--prefix=/usr' '--build=arm-linux-gnueabi' '--host=arm-linux-gnueabi' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var/run/bind' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--enable-ipv6' 'build_alias=arm-linux-gnueabi' 'host_alias=arm-linux-gnueabi' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -DNS_RUN_PID_DIR=0 -O2' 'LDFLAGS=' 'CPPFLAGS='
Jan 23 22:09:46 wanners named[14828]: adjusted limit on open files from 1024 to 1048576
Jan 23 22:09:46 wanners named[14828]: found 1 CPU, using 1 worker thread
Jan 23 22:09:46 wanners named[14828]: using up to 4096 sockets
Jan 23 22:09:46 wanners named[14828]: loading configuration from '/etc/bind/named.conf'
Jan 23 22:09:46 wanners named[14828]: using default UDP/IPv4 port range: [1024, 65535]
Jan 23 22:09:46 wanners named[14828]: using default UDP/IPv6 port range: [1024, 65535]
Jan 23 22:09:46 wanners named[14828]: listening on IPv6 interfaces, port 53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface eth0, 192.168.1.1#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface eth1, 68.226.67.198#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface tun0, 10.8.0.1#53
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: D.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: A.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: B.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: command channel listening on 127.0.0.1#953
Jan 23 22:09:46 wanners named[14828]: command channel listening on ::1#953
Jan 23 22:09:46 wanners named[14828]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 1.168.192.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone lo/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone localhost/IN: loaded serial 2
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: has 0 SOA records
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: has no NS records
Jan 23 22:09:46 wanners named[14828]: running
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: Transfer started.
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: connected using 68.226.67.198#51368
Jan 23 22:09:46 wanners named[14828]: dumping master file: /etc/bind/zones/tmp-dysZfOWkDE: open: permission denied
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: failed while receiving responses: permission denied
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: Transfer completed: 0 messages, 13 records, 0 bytes, 0.130 secs (0 bytes/sec)
[snip cronjobs]
Jan 23 22:10:45 wanners named[14828]: zone wanners.net/IN: Transfer started.
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: connected using 68.226.67.198#42435
Jan 23 22:10:45 wanners named[14828]: dumping master file: /etc/bind/zones/tmp-lWrePAOaFH: open: permission denied
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: failed while receiving responses: permission denied
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: Transfer completed: 0 messages, 13 records, 0 bytes, 0.107 secs (0 bytes/sec)

So it gets the records just fine and even refreshes them; it's just not answering to queries regarding them. Why is this? What should I do to fix it? And the dig to prove it:

marcus@wanners ~ $ dig -6 wanners.net

; <<>> DiG 9.6-ESV-R3 <<>> -6 wanners.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wanners.net.           IN  A

;; Query time: 2 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Jan 23 22:18:46 2011
;; MSG SIZE  rcvd: 29

[I'm using IPv6 in the test because the server is going to be serving on IPv6. The results are them same for any record under wanners.net or subdomains, even when querying from off-site]

score 2 · Accepted Answer · answered Jan 24 '11 at 03:26

Change the ownership of the /etc/bind/zones/ folder to that of the BIND user. Bind is unable to write to that directory.

Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: connected using 68.226.67.198#51368
Jan 23 22:09:46 wanners named[14828]: dumping master file: /etc/bind/zones/tmp-dysZfOWkDE: open: permission denied
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: failed while receiving responses: permission denied

Works perfectly thanks. Should have thought of this myself... — marcusw, Jan 24 '11 at 15:57

score 1 · Answer 2 · answered Sep 22 '15 at 22:24

1

In my case all the permissions were correct and I even did a restorecon on the directory, but it would only work when selinux was permissive or disabled.

The solution I found from bugzilla 545128 was

setsebool -P named_write_master_zones=1

answered Sep 22 '15 at 22:24

banjo67xxx

620
5
7

score 0 · Answer 3 · answered Dec 28 '14 at 18:50

Changing the permissions, which works, isn't the best solution to this issue.

The problem is created by the absolute path in the file statement....

file "/etc/bind/zones/slave.wanners.net.db";

Change this to just the base file name

file "slave.wanners.net.db";

Then bind will write the file in /var/cache/bind , where it has the correct permissions, and where it's meant to store it's temporary and working files.

For the full smackdown, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=209022

Something's up with BIND9...slave zone giving SERVAIL for all queries in domain

3 Answers3