2

bind is configured to limit the log file size to 2m and to add up to 3 versions of the log files. During the testing of this bind server, is has occured that bind does not stop logging if the file size reaches more than 2m. During the testing of this bind server, is has occured that bind does not add e.g. "bind.log.1", "bind.log.2" and so on, after restarting bind.

Is someone able to help me with this?

OS/Software: Bind9 9.7.3 on Debian Squeeze

named.conf:

[...]
include "/etc/bind/named.conf.log";

named.conf.log:

logging {
    channel update_debug {
            file "/var/log/bind/update_debug.log" versions 3 size 2m;
            severity debug;
            print-severity  yes;
            print-time      yes;
    };
    channel security_info {
            file "/var/log/bind/security_info.log" versions 3 size 2m;
            severity notice;
            print-severity  yes;
            print-time      yes;
    };
    channel bind_log {
            file "/var/log/bind/bind.log" versions 3 size 2m;
            severity info;
            print-category  yes;
            print-severity  yes;
            print-time      yes;
    };

    category default { bind_log; };
    category lame-servers { null; };
    category update { update_debug; };
    category update-security { update_debug; };
    category security { security_info; };
};

#ls -la /var/log/bind/:

root@ns1:/var/log/bind# ls -la
total 72
drwxrwxr-x 2 root bind  4096 Sep 16 11:52 .
drwxr-xr-x 9 root root  4096 Sep 16 11:45 ..
-rwxrwxr-- 1 root bind 56236 Sep 16 13:56 bind.log
-rwxrwxr-- 1 root bind     0 Sep 16 11:52 lame_info.log
-rwxrwxr-- 1 root bind   105 Sep 16 13:42 security_info.log
-rwxrwxr-- 1 root bind     0 Sep 16 11:52 update_debug.log
leoben
  • 41
  • 7

1 Answers1

0

Assuming the following:

  • Bind9 runs on Debian and
  • Bind9's named daemon runs in 'bind' owner Unix ID
  • DNS keys are protected under bind group.

I use following file ownership:

chown -R root:bind /etc/bind
chown    root:bind /var/lib/bind
chown -R bind:bind /var/lib/bind/*
chown -R root:bind /var/cache/bind # always filled with bind:bind ownership
chown -R bind:bind /var/log/bind # files are written from bind user

Then I clamp down file permission such that:

chmod 2750 /etc/bind
chmod 0640 /etc/bind/*     # keys are protected under bind group
chmod 2750 /etc/bind/keys
chmod 0640 /etc/bind/keys/*
chmod 2770 /var/lib/bind
chmod 0640 /var/lib/bind/*
chmod 0770 /var/lib/bind/dynamic
chmod 2770 /var/log/bind   # give Group Special Bit
chmod 0640 /var/log/bind/*

It's different for /var/log where it is wholly owned by named daemon.

chmod 0750 /var/log/bind
chmod 0640 /var/log/bind/*

Then update/add /etc/logrotate.d/bind file to show:

 /var/log/bind/*.log
{
  rotate 30
  daily
  dateext
  dateformat _%Y-%m-%d
  missingok
  su bind bind
  create 0640 bind bind
  delaycompress
  compress
  notifempty
  postrotate
    /bin/systemctl reload bind9
  endscript
}

If you are on another Linux Distro (ie., RedHat, Arch, Gentoo, CentOS), then replace the word bind with named throughout above.

John Greene
  • 899
  • 10
  • 30