netbsd-help: named AXFR problem if -u daemon

Subject: named AXFR problem if -u daemon
To: None <netbsd-help@netbsd.org>
From: James K. Lowden <jklowden@schemamania.org>
List: netbsd-help
Date: 11/03/2001 18:08:54
Hi all, 

My little DNS is trying to be a slave for the first time and is having
trouble transferring the domain information from its master.  I
figured out why; my question concerns what the right fix is.  I'm
running NetBSD 1.4.2, but as far as I can tell it would be the same in
-current.  

My rc.conf has a line:

	named=YES     named_flags="-u daemon -w /etc/namedb" 
	
and in /etc/namedb/named.conf, I have a section that looks like this:

	zone "EquateJobs.com" {
	   type slave;
	  masters {
  		  64.81.195.112;
	  };
	};

When I HUP the process, I get complaints about permissions.  If I run
named as root, the transfer works.  But I don't want to run it as
root, do I?  Here's the symptom:

bash-2.04# tail /var/log/messages
Nov  3 15:16:48 home named[174]: reloading nameserver
Nov  3 15:16:48 home named[174]: couldn't create pid file '/var/run/named.pid'
Nov  3 15:16:48 home named[174]: Ready to answer queries.
Nov  3 15:16:48 home named-xfer[6256]: can't make tmpfile (NsTmp174.0.06256a): Permission denied 
Nov  3 15:17:05 home named[174]: unapproved AXFR from [127.0.0.1].65334 for "equatejobs.com" (not master/slave)

Thinking about tmpnam, I thought I could probably find that message. 
Sure enough, it's in 

http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/dist/bind/bin/named-xfer/named-xfer.c?rev=1.4&content-type=text/x-cvsweb-markup

where you'll find:

        /* tmpname is now something like "/etc/named/named.bu.db.XXXXXX" */
        if ((dbfd = mkstemp(tmpname)) == -1) {
                perror(tmpname);
                if (!quiet)
                        syslog(LOG_ERR, "can't make tmpfile (%s): %s\n",
                               tmpname, strerror(errno));
                exit(XFER_FAIL);

(I'm guessing that named isn't using /tmp for security reasons.)

That comment looked suspicious, so I set the owner of /etc/namedb to
"daemon" and bingo! the problem went away.  

Is that what I'm *supposed* to do?  

(I think the "couldn't create pid file" message is specious.  I think
NetBSD creates /var/run/named.pid, owned by root, and later named
comes along and tries to do the same thing as daemon.)  

Is this the sort of thing that merits a problem report?  I'm still
trying to learn the spirit of these things.  

Thanks and regards, 

--jkl