Bug 447486 - bind: named in chroot: the working directory is not writable
bind: named in chroot: the working directory is not writable
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-19 23:04 EDT by Al Dunsmuir
Modified: 2013-04-30 19:39 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-24 06:06:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Bind syslog (3.12 KB, text/plain)
2008-05-19 23:04 EDT, Al Dunsmuir
no flags Details
bind chroot direcory tree (1.94 KB, text/plain)
2008-05-19 23:05 EDT, Al Dunsmuir
no flags Details
named.conf (1.13 KB, text/plain)
2008-05-20 10:45 EDT, Al Dunsmuir
no flags Details
/var/named/fernbank.whitby.ca.db (365 bytes, text/plain)
2008-05-20 10:51 EDT, Al Dunsmuir
no flags Details
/var/named/192.168.1.db (457 bytes, text/plain)
2008-05-20 10:51 EDT, Al Dunsmuir
no flags Details
/var/named/named.ca (1.25 KB, text/plain)
2008-05-20 10:53 EDT, Al Dunsmuir
no flags Details
Output from dig @ luke (938 bytes, text/plain)
2008-05-20 10:56 EDT, Al Dunsmuir
no flags Details
Output from dig @ luke (144 bytes, text/plain)
2008-05-20 11:00 EDT, Al Dunsmuir
no flags Details
Result of adding to listen-on using s-c-b (1.12 KB, text/plain)
2008-05-20 13:21 EDT, Al Dunsmuir
no flags Details

  None (edit)
Description Al Dunsmuir 2008-05-19 23:04:04 EDT
Description of problem: Bind not working in new F9 install.

Installed F9 on secondary server, with SELinux enabled. My initial update from
F8 had many SELinux errors and after my primary F8 server's power supply died, I
suddenly had to have working DHCP (done), and DNS server.  I've tended to be an
early Fedora adopter (and also seem to open a system-config-bind bug report per
release <GRIN>), so thought it should be easy.

Installed bind, bind-libs, bind-utils, bind-chroot, system-config-bind
Customized my usual bind configuration... looks good.
Started named, and tried nslookups to verify. 
named does not appear to be resolving any DNS lookups!

Saw 446477, and it appears to be the same or related.
The bind-chroot appears to have wrong permissions (see bind_tree.txt).
The syslog (see bind-syslog.txt) shows problem - named does not have R/W working

I can force permissions, but thought you'd want a live guinea pig to test fix. 

Version-Release number of selected component (if applicable):
Current F8 release + updates

How reproducible:

Steps to Reproduce:
Actual results:
Bind not functional

Expected results:
Bind resolving internal network names

Additional info:
Comment 1 Al Dunsmuir 2008-05-19 23:04:05 EDT
Created attachment 306078 [details]
Bind syslog
Comment 2 Al Dunsmuir 2008-05-19 23:05:23 EDT
Created attachment 306079 [details]
bind chroot direcory tree
Comment 3 Adam Tkac 2008-05-20 10:26:31 EDT
Non writable working directory is part of BIND security policy long time.
Problem is different than in bug #446477.
Could you please attach your named.conf and output from "dig
@<affected_nameserver> <dns_name>", please? Thanks
Comment 4 Al Dunsmuir 2008-05-20 10:45:33 EDT
Created attachment 306130 [details]
Comment 5 Al Dunsmuir 2008-05-20 10:51:14 EDT
Created attachment 306132 [details]
Comment 6 Al Dunsmuir 2008-05-20 10:51:57 EDT
Created attachment 306133 [details]
Comment 7 Al Dunsmuir 2008-05-20 10:53:09 EDT
Created attachment 306134 [details]
Comment 8 Al Dunsmuir 2008-05-20 10:56:37 EDT
Created attachment 306135 [details]
Output from dig @ luke
Comment 9 Al Dunsmuir 2008-05-20 11:00:17 EDT
Created attachment 306136 [details]
Output from dig @ luke

I believe that I normally set up DNS with non-localhost IP address... but that
did not resolve to the same server.  Is this normal?

Sure wish power supply would arrive so I could compare to my F8 server DNS.
Comment 10 Adam Tkac 2008-05-20 11:23:45 EDT
You have to use fully qualified domain name when you are using dig. (so dig
@ luke.fernbank.whitby.ca in your case) It works fine for me - returns
Are you sure that your "allow-query" and "listen-on(-v6)" statements in
named.conf are set correctly? (with current setup is server reachable only from and ::1)
Comment 11 Al Dunsmuir 2008-05-20 12:37:02 EDT
you have a copy of my named.conf.  It has localhost for allow-query.

while dig may be working, name resolution is not.  I am using network service to
manage my inerfaces, since static IPs were not activated by networkmanager
service (turned off).  

DNS page of etih0 Netork configuration has
Hostname: leeloo.fernbank.whitby.ca
Primary DNS
Secondary DNS:
DNS Search path: fernbank.whitby.ca

The result of ping luke is:
ping: unknown host luke

The result of "nslookup luke" is:
[root@leeloo etc]# nslookup luke

** server can't find luke: NXDOMAIN

The result of "nslookup luke" is
[root@leeloo etc]# nslookup luke

Name:	luke.fernbank.whitby.ca

So I guess the problem is why is my primary DNS on this system not fielding
requests, unless explicitly queried (dig @... and nslookup name addr).

Comment 12 Al Dunsmuir 2008-05-20 13:21:15 EDT
Created attachment 306159 [details]
Result of adding to listen-on using s-c-b

Tried to add to listen-on port after
Comment 13 Al Dunsmuir 2008-05-20 13:24:11 EDT
Argh.... when I open eth0 DNS tab again, it has changed the localhost
address to the interface IP address by which this machine is known
in my LAN.

systen-config-bind says "The default is to listen on  all configured IPv4
interfaces with port #53.", except it only has (value set initially by
bind + bind-chroot). 

So there is a behaviour change from F8 (due to NM?), where I used the caching
nameserver as a base, with 192.168.1.x (system interface IP addr) as the DNS
addr. (eg 192.168.1.x:53).

Initial attempt to use s-c-bind to make a list of IP addrs failed... will edit
Comment 14 Al Dunsmuir 2008-05-20 13:34:34 EDT
I changed the named.conf file line to:
listen-on port 53 {,; };

And I got the expected behaviour:
May 20 13:30:33 leeloo named[10794]: listening on IPv4 interface lo,
May 20 13:30:33 leeloo named[10794]: listening on IPv4 interface eth0,

[root@leeloo etc]# nslookup luke

Name:	luke.fernbank.whitby.ca

[root@leeloo etc]# ping luke
PING luke.fernbank.whitby.ca ( 56(84) bytes of data.
64 bytes from luke.fernbank.whitby.ca ( icmp_seq=1 ttl=255
time=3.06 ms
64 bytes from luke.fernbank.whitby.ca ( icmp_seq=2 ttl=255
time=1.21 ms
64 bytes from luke.fernbank.whitby.ca ( icmp_seq=3 ttl=255
time=1.17 ms
--- luke.fernbank.whitby.ca ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2166ms
rtt min/avg/max/mdev = 1.174/1.815/3.060/0.880 ms

So the combo of the network DNS tab changing the localhost IP to the interface
IP and the named.conf only having the localhost IP was the problem.  When I
changed named.conf to have both the interface and localhost IP addresses, I now
have a DNS server that works for me.
Comment 15 Al Dunsmuir 2008-05-20 13:57:36 EDT
Actually... it only works within the leeloo linux machine.

Queries from other machines in my 192.168.1.x submit are still rejected.  From
my NT box:

prompt>nslookup luke
DSN request timed out
timout was 2 seconds
*** Can't find sserver name for address Timed out

I tried editing named.conf, and commenting out the allow-query stanza.
According to V29ARM.pdf, this should allow querys from any address.

Please help.  It is not useful to have a DNS server that doesn't answer queries. 

Comment 16 Al Dunsmuir 2008-05-20 16:16:55 EDT
Had a thought, and checked firewall via System->Administration->Firewall.
Was enabled.  Disabled it... rebooted... no change.

"nslookup name" works in leeloo terminal, but not when executed in window of LAN
attached system on same subnet.
Comment 17 Adam Tkac 2008-05-21 04:48:22 EDT
You have misconfiguration in named.conf. As I wrote in comment #10 you have to
setup listen-on option correctly (you already did it but you can also specify
simply listen-on { any; }; ).

Next problem is allow-query statement in your named.conf (look on
http://www.isc.org/index.pl?/sw/bind/arm95/). When you have only localhost
specified there queries from other machines are rejected. You can see it when
you enable query logging (run "rndc querylog") in system log - messages like
"client x.x.x.x#port denied". You have to specify "allow-query {localhost;;}" for example
Comment 18 Al Dunsmuir 2008-05-23 14:21:34 EDT

I've added the final updates that you suggested, and it is all working now. 
Please mark this bug as complete, or whatever it is that finalizes your process.

Thanks for all your assistance!

Note You need to log in before you can comment on or make changes to this bug.