slave DNS server gives: dumping master file: tmp-tLhtqBidrp: open: permission denied

Hi there,

My slave DNS servers seems to work fine but it generates the following messages:
dumping master file: tmp-7HskK3f20H: open: permission denied
dumping master file: tmp-IwYZO2kdZM: open: permission denied
dumping master file: tmp-X8NBofY7Ff: open: permission denied
dumping master file: tmp-FT0msqb6ka: open: permission denied
dumping master file: tmp-GJwRw5EcKi: open: permission denied
dumping master file: tmp-Cyt2TvrggB: open: permission denied
dumping master file: tmp-UKU3Uaq3Qj: open: permission denied
dumping master file: tmp-GwOU3pGvQ8: open: permission denied
dumping master file: tmp-pce6eAvstI: open: permission denied
dumping master file: tmp-aPBOiqUFjf: open: permission denied

It cannot write something somewhere.... and looks like my dns zones are only in memory. After rebooting the server dns zones are some time not availible....it needs to transfer them first again in able to work.

This is my named.conf file on the slave server (CentOS 7):
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-new-zones yes;
allow-transfer { 1.2.3.4; 1.2.3.5; 1.2.3.6; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

key "rndc-key" {
algorithm hmac-md5;
secret "sdfghsgfsdfgsdfQ==";
};

controls {
inet * port 953
allow { 1.2.3.4; 1.2.3.5; 1.2.3.6 ;127.0.0.1; } keys { "rndc-key"; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The rights look like this:
rpm -ql bind | xargs ls -lda | grep -v share

ls: cannot access /var/log/named.log: No such file or directory
-rw-r----- 1 root named 514 Mar 16 14:40 /etc/logrotate.d/named
drwxr-x---. 2 root named 6 Mar 16 14:40 /etc/named
-rw-r----- 1 root named 1987 Jan 6 2016 /etc/named.conf
-rw-r--r-- 1 root named 2389 Mar 16 14:40 /etc/named.iscdlv.key
-rw-r----- 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones
-rw-r--r-- 1 root named 487 Jul 19 2010 /etc/named.root.key
-rwxr-xr-x 1 root root 344 Mar 16 14:40 /etc/NetworkManager/dispatcher.d/13-named
-rw------- 1 root root 480 Oct 28 2015 /etc/rndc.conf
-rw-r-----. 1 root named 77 Oct 24 2015 /etc/rndc.key
-rw-r--r-- 1 root root 140 Mar 16 14:40 /etc/rwtab.d/named
-rw-r--r-- 1 root root 283 Nov 5 2015 /etc/sysconfig/named
drwxr-xr-x 2 named named 80 Jul 24 03:26 /run/named
drwxr-xr-x. 2 root root 6 Mar 16 14:40 /usr/lib64/bind
-rwxr-xr-x 1 root root 530 Mar 16 14:40 /usr/libexec/generate-rndc-key.sh
-rw-r--r-- 1 root root 773 Mar 16 14:40 /usr/lib/systemd/system/named.service
-rw-r--r-- 1 root root 121 Mar 16 14:40 /usr/lib/systemd/system/named-setup-rndc.service
-rw-r--r-- 1 root root 32 Mar 16 14:40 /usr/lib/tmpfiles.d/named.conf
-rwxr-xr-x 1 root root 7184 Mar 16 14:40 /usr/sbin/arpaname
-rwxr-xr-x 1 root root 19856 Mar 16 14:40 /usr/sbin/ddns-confgen
-rwxr-xr-x 1 root root 9870 Mar 16 14:40 /usr/sbin/dnssec-checkds
-rwxr-xr-x 1 root root 26566 Mar 16 14:40 /usr/sbin/dnssec-coverage
-rwxr-xr-x 1 root root 53808 Mar 16 14:40 /usr/sbin/dnssec-dsfromkey
-rwxr-xr-x 1 root root 53808 Mar 16 14:40 /usr/sbin/dnssec-importkey
-rwxr-xr-x 1 root root 53696 Mar 16 14:40 /usr/sbin/dnssec-keyfromlabel
-rwxr-xr-x 1 root root 66048 Mar 16 14:40 /usr/sbin/dnssec-keygen
-rwxr-xr-x 1 root root 49568 Mar 16 14:40 /usr/sbin/dnssec-revoke
-rwxr-xr-x 1 root root 53728 Mar 16 14:40 /usr/sbin/dnssec-settime
-rwxr-xr-x 1 root root 104064 Mar 16 14:40 /usr/sbin/dnssec-signzone
-rwxr-xr-x 1 root root 49568 Mar 16 14:40 /usr/sbin/dnssec-verify
-rwxr-xr-x 1 root root 11408 Mar 16 14:40 /usr/sbin/genrandom
-rwxr-xr-x 1 root root 11472 Mar 16 14:40 /usr/sbin/isc-hmac-fixup
-rwxr-xr-x 2 root root 586736 Mar 16 14:40 /usr/sbin/lwresd
-rwxr-xr-x 2 root root 586736 Mar 16 14:40 /usr/sbin/named
-rwxr-xr-x 1 root root 28744 Mar 16 14:40 /usr/sbin/named-checkconf
-rwxr-xr-x 1 root root 28568 Mar 16 14:40 /usr/sbin/named-checkzone
lrwxrwxrwx 1 root root 15 Jun 9 09:23 /usr/sbin/named-compilezone -> named-checkzone
-rwxr-xr-x 1 root root 11376 Mar 16 14:40 /usr/sbin/named-journalprint
-rwxr-xr-x 1 root root 11408 Mar 16 14:40 /usr/sbin/nsec3hash
-rwxr-xr-x 1 root root 32616 Mar 16 14:40 /usr/sbin/rndc
-rwxr-xr-x 1 root root 19864 Mar 16 14:40 /usr/sbin/rndc-confgen
drwxr-x---. 5 root named 12288 Jul 22 16:49 /var/named
drwxrwx---. 2 named named 4096 Jul 24 03:26 /var/named/data
drwxrwx---. 2 named named 58 Jul 26 14:44 /var/named/dynamic
-rw-r----- 1 root named 2076 Jan 28 2013 /var/named/named.ca
-rw-r----- 1 root named 152 Dec 15 2009 /var/named/named.empty
-rw-r----- 1 root named 152 Jun 21 2007 /var/named/named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 /var/named/named.loopback
drwxrwx---. 2 named named 6 Mar 16 14:40 /var/named/slaves

 

i have changed the permissions for named in the /var/named (+w) and that fixes the problem.

 

Hey, thank you for sharing this info with us.

 

Also, try the following -

Code:

chown bind:bind /etc/bind/named.conf /etc/bind/slave