我刚刚在其上安装了 Fedora 23 和 bind-9.10,默认安装无法运行。我只创建了一个区域文件(语法检查过程已通过),但此错误与我创建的任何区域数据均无关:
Jan 05 08:05:09 localhost.localdomain named[5786]: isc_file_isplainfile 'data/named.run' failed: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: configuring logging: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: loading configuration: permission denied
Jan 05 08:05:09 localhost.localdomain named[5786]: exiting (due to fatal error)
这些是以下目录的权限:
[root@localhost named]# ls -dl /var/named
drwxr-x---. 5 root named 4096 Jan 5 07:58 /var/named
[root@localhost named]# ls -dl /var/named/data
drwxrwx---. 2 named named 4096 Dec 16 12:15 /var/named/data
[root@localhost named]#
目录 /var/named/data 是空的。
strace 显示同样的错误:
[pid 5794] open("/dev/random", O_RDONLY|O_NONBLOCK) = 10
[pid 5794] fcntl(10, F_GETFL) = 0x8800 (flags O_RDONLY|O_NONBLOCK|O_LARGEFILE)
[pid 5794] fcntl(10, F_SETFL, O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 0
[pid 5794] stat("data/named.run", 0x7f04aaf72630) = -1 EACCES (Permission denied)
我以为默认安装不会出现目录权限配置之类的错误。这里有什么问题?
这是我的 /etc/named.conf 文件:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.0.14; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "supervisedchat.com" {
type master;
file "/var/named/supervisedchat.dns"; # 10.128.0.0/16 subnet
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/named/supervisedchat.rev"; # 10.128.0.0/16 subnet
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost named]#
答案1
我在容器中设置命名时遇到了同样的问题。您必须以正确的用户身份运行命名,该用户位于namedRedhat/Fedora 上:
named -u named # Possibly in the foreground using an additional -g
named 在启动时会放弃所有功能(除了一些功能,例如绑定到低端口的功能),因此 root 也会失去读取所有人文件的能力。这意味着“named 进程的 root 用户”无法再读取 named 的文件。这就是为什么您必须使用 以 named 用户身份运行它的原因-u named。
来自手册页:
注意:在 Linux 上,named 使用内核的功能机制来放弃所有 root 权限,但保留 bind(2) 到特权端口和设置进程资源限制的能力。
Fedora(或至少当前的 Fedora 30)上的默认配置使用正确的选项运行它,但是,在调试时您需要手动提供它,例如named -u named -g。
答案2
您知道 named 或 bind 试图在何处创建“data/named.run”吗?
尝试
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
};
如果没有绝对路径,named 将尝试访问 cwd 中的 data/named.run。
答案3
您显示了文件夹 /var/named/data 的权限,但没有显示其内容的权限。这可能是您的问题吗?