REVSYS

Quick-Tip: Permission Denied error on secondary DNS server

by Frank Wiles

I like to consider myself a DNS/BIND expert, but it just goes to show that you can learn something new everyday. I setup my secondary DNS servers for both revsys.com and my personal domain in the way that I always have. But I noticed that the secondary was consistently getting the following error:

transfer of 'revsys.com/IN' from 69.44.154.136#53: failed while receiving responses: permission denied

From this error I assumed that my master ( aka primary ) server was not setup correctly to allow transfers from the secondary. This is normally done with the following configuration option: 

allow-transfer { 192.168.0.2; };

Where 192.168.0.2 is the IP address of the secondary (slave) DNS server.

After I had double checked this configuration on the master to make sure it was there and that I had not done something dumb like typo the IP address. On the surface everything seemed to be perfectly setup, but I was still getting the error.

Eventually I realized that the error was not a permission denied error from the remote master server, but from the local DNS server. The error turned out to be a file permission error in the default layout of BIND on a Fedora Core system.

Around the time of Fedora Core 3 the default configuration for BIND is setup to chroot the daemon into it's own filesystem space to help avoid and contain any security breaches. This is a great feature.

To fix your permission denied error on your secondary or slave DNS server all you need to do is change the permissions of your data directory to include group write permissions. On my system that directory is /var/named/chroot/var/named/. You can do this with a simple: 

chmod 775 /var/named/chroot/var/named

or 

chmod g+w /var/named/chroot/var/named

It should be noted that you will only run into this error on a secondary or slave DNS server if you have the secondary store it's slave information in a file. This happens when a slave is configured like this: 

zone "example.com" IN {
    type slave;
    file "secondary-example.com";
    masters { 192.168.0.1; };
};

Another option, that in many ways is more correct on a Fedora Core system, is to store your secondary zone files in the slaves/ directory. This directory is in /var/named/chroot/var/named/ and already has the proper permissions for you. So instead of file "secondary-example.com"; you would simply say file "slaves/secondary-example.com";.

Hopefully this shows you how to resolve this particular error. These suggestions have been tested on Fedora Core 3 and Core 4. If you find any errors or have any suggestions regarding this information please feel free to E-mail me at frank@revsys.com.