Permissions

rndc delzone {zonename}:權限被拒絕

  • December 11, 2015

系統是:

Debian GNU/Linux 8.2 (jessie)

BIND 9.9.5-9+deb8u3-Debian (Extended Support Version)

命名.conf.options:

options {
   directory "/var/cache/bind";
   key-directory "/etc/bind/keys";

   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

   // If your ISP provided one or more IP addresses for stable 
   // nameservers, you probably want to use them as forwarders.  
   // Uncomment the following block, and insert the addresses replacing 
   // the all-0's placeholder.

   // forwarders {
   //  0.0.0.0;
   // };

   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
   dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;
   dnssec-dnskey-kskonly yes;
   sig-validity-interval 21 16;
   inline-signing yes;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };

   // permit lookup of unknown dns names
   recursion no;

   // allow dynamicly new zones
   allow-new-zones yes;
};

記憶體文件/var/cache/bind/3bf305731dd26307.nzf具有 thr 權限 0744 並歸 bind:bind 所有

一切都按預期工作,我可以添加區域、統計資訊、載入鍵和所有內容 - 除了:

rndc delzone {ZoneName}

如果我觸發此命令(在控制台中以 root 身份),我會得到一個rndc: 'delzone' failed: permission denied

在日誌中沒有顯示任何內容..

我真的被困在這裡 - 任何人都知道為什麼會發生此權限錯誤?

問題是,我正在修改原始記憶體文件/var/cache/bind/3bf305731dd26307.nzf

rndc addzone我刪除了我自己的文件結構之後的所有條目,這些文件結構包含在 named.conf 中。之後rndc reload,當該條目不再位於原始記憶體文件中時,無法通過 刪除該區域rndc delzone。要重新獲得權限,區域文件的配置字元串必須在觸發/var/cache/bind/3bf305731dd26307.nzfa 時位於原始記憶體文件中。rndc reload似乎 bind 需要這個內部..

因此,正如內容/var/cache/bind/3bf305731dd26307.nzf本身所說 - 不要手動編輯此文件,只能通過rndc.

引用自:https://serverfault.com/questions/742351