Description of problem: The 'named' daemon fails to start when MS AD records of the form 'gc._msdcs.mydomain.com' have been added to a master forward zone file. During the run of the initscript, named-checkconf returns a non-zero error code when checking forward zones having MS Active Directory gc._msdcs 'A' records. The named initscript does not give one the choice of passing up this name check, even if 'check-names ignore' is set in the named.conf file. As a result, the initscript bails before attempting to start named. Version-Release number of selected component (if applicable): bind-9.3.1-6.FC4 How reproducible: Always Steps to Reproduce: 1. Allow MS AD Domain Controller to add dynamic DNS records to zonefile mastered by BIND. 2. Restart BIND on the primary DNS server for that zone: /sbin/service named restart Actual results: Starting named: Error in named configuration: zone 0.0.127.in-addr.arpa/IN: loaded serial 2 data/db.thebank:96: gc._msdcs.thebank.com: bad owner name (check-names) data/db.thebank:97: gc._msdcs.thebank.com: bad owner name (check-names) data/db.thebank:98: gc._msdcs.thebank.com: bad owner name (check-names) data/db.thebank:99: gc._msdcs.thebank.com: bad owner name (check-names) zone thebank.com/IN: loaded serial 19564 data/db.ciassociates:27: gc._msdcs.ciassociates.com: bad owner name (check-names) zone ciassociates.com/IN: loaded serial 160 zone thebanks.com/IN: loaded serial 4 data/db.cnbpost:27: gc._msdcs.cnbpost.com: bad owner name (check-names) zone cnbpost.com/IN: loaded serial 23 [ snipped ] [FAILED] Expected results: BIND starts normally Additional info:
Never mind this one! Turns out that an unrelated permissions error was really causing the server to crash. Once that was eliminated, it started up fine.
Yes, to support DDNS updateable zones, you need to either locate the zone files in the 'slaves/' subdirectory, or # chown named:named $ROOTDIR/var/named; chmod g+w $ROOTDIR/var/named and, if SELinux is enabled in Enforcing mode: # setsebool named_write_master_zones 1 (see man named_selinux) . The errors messages you see above are from the bind-9.3.1 "check-names" code - perhaps because the files were not correctly updated because of the permissions problem ? But bind-9.3.1 has new behaviour with name checking, that you can configure with the named.conf 'options{... check-names ... }' option: check-names ( master | slave | response )( warn | fail | ignore ); ] (see the BIND9 Administrators Reference Manual: (file:///usr/share/doc/bind-9.3.1/arm/Bv9ARM.html).