Re: DNS/apparmor problem
On Tue, 14 Aug 2012 09:55:01 -0600, Glenn English wrote:
> On Aug 14, 2012, at 9:03 AM, Camaleón wrote:
(...)
>> Debian does not ship AA by default and even if so, no profile is
>> enabled so I would discard a problem coming from here (unless, of
>> course, you did something that trigered the AA installation which
>> enabled a profile...).
>
> It isn't, but a folder and a file got installed in /etc somehow.
Mmm... the file seems coming from bind9 package itself so I wound't
bother and while AA is not installed/executed, there should be no problem.
>> Mmm, master, slave and zone transfers between them?
>
> Frequently.
Then the error could be generated by this. Are the bind9 logs holding
more data or just the succint message you posted before?
>> If there's any
>> interelation between both servers it can be indeed an "out of sync"
>> timing issue (remember the error started with "refresh:" operation).
>
> I try to keep an eye on them to see if they get out of sync.
The "refresh" is very suspicius.
>> Are the time of both servers accurately set (e.g., by means of nntpd)?
>
> Yes. There's a dedicated NTP server on the DMZ to sync all the clocks in
> my nets. (I live in Boulder County, USA, so NIST is just down the street
> -- I have a 10 or 20 ms latency to their atomic clocks.)
Then time should be fine.
>>> I edited the AppArmor profile file, but after the errors.
>>
>> Uh? What AA profile? :-?
>
> /etc/apparmor.d/use.sbin.named:
(...)
I would forget about this file (also AA) as it seems to be normal to have
it installed and there's no other trace of AA in your system. Also, if
you edited something, restore to its defaults.
Greetings,
--
Camaleón
Reply to: