Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 163525 - AD DNS records break named startup zone check
AD DNS records break named startup zone check
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2005-07-18 12:05 EDT by James J. Moore
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-07-18 13:18:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James J. Moore 2005-07-18 12:05:04 EDT
Description of problem: 
   The 'named' daemon fails to start when MS AD records of the form 
'gc._msdcs.mydomain.com' have been added to a master forward zone file.  
During the run of the initscript, named-checkconf returns a non-zero error 
code when checking forward zones having MS Active Directory gc._msdcs 'A' 
records.  The named initscript does not give one the choice of passing up this 
name check, even if 'check-names ignore' is set in the named.conf file.  As a 
result, the initscript bails before attempting to start named.  
Version-Release number of selected component (if applicable): 
How reproducible: 
Steps to Reproduce: 
1.  Allow MS AD Domain Controller to add dynamic DNS records to zonefile 
mastered by BIND. 
2.  Restart BIND on the primary DNS server for that zone: /sbin/service named 
Actual results: 
Starting named: 
Error in named configuration: 
zone 0.0.127.in-addr.arpa/IN: loaded serial 2 
data/db.thebank:96: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:97: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:98: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:99: gc._msdcs.thebank.com: bad owner name (check-names) 
zone thebank.com/IN: loaded serial 19564 
data/db.ciassociates:27: gc._msdcs.ciassociates.com: bad owner name 
zone ciassociates.com/IN: loaded serial 160 
zone thebanks.com/IN: loaded serial 4 
data/db.cnbpost:27: gc._msdcs.cnbpost.com: bad owner name (check-names) 
zone cnbpost.com/IN: loaded serial 23 
[ snipped ] 
Expected results: 
   BIND starts normally 
Additional info:
Comment 1 James J. Moore 2005-07-18 12:08:41 EDT
Never mind this one!  Turns out that an unrelated permissions error was really 
causing the server to crash.  Once that was eliminated, it started up fine. 
Comment 2 Jason Vas Dias 2005-07-18 13:18:39 EDT
Yes, to support DDNS updateable zones, you need to either locate the zone
files in the 'slaves/' subdirectory, or 
  # chown named:named $ROOTDIR/var/named; chmod g+w $ROOTDIR/var/named
and, if SELinux is enabled in Enforcing mode:
  # setsebool named_write_master_zones 1
(see man named_selinux) .

The errors messages you see above are from the bind-9.3.1 "check-names" code -
perhaps because the files were not correctly updated because of the permissions
problem ? 
But bind-9.3.1 has new behaviour with name checking, that you can configure with
the named.conf 'options{... check-names ... }' option:
  check-names ( master | slave | response )( warn | fail | ignore ); ]
(see the BIND9 Administrators Reference Manual:

Note You need to log in before you can comment on or make changes to this bug.