Re: (should be) simple bind problem [possibly solved]

To: debian-user@lists.debian.org
Subject: Re: (should be) simple bind problem [possibly solved]
From: Bob Proulx <bob@proulx.com>
Date: Wed, 27 May 2015 12:43:51 -0600
Message-id: <[🔎] 20150527123700075697095.NoCcsPlease@bob.proulx.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 160CE3F4-DC1F-44AD-9B84-0AF15A714606@slsware.net>
References: <[🔎] 8390D5F5-4450-498D-A25A-5DA5C16F1883@slsware.net> <[🔎] 20150521153339683383957.NoCcsPlease@bob.proulx.com> <[🔎] 690A8994-2A57-4851-9450-67EE863EA581@slsware.net> <[🔎] 20150525003502073673559.NoCcsPlease@bob.proulx.com> <[🔎] 1F3AFF71-02E5-4925-8C8F-06114A8EC768@slsware.net> <[🔎] 160CE3F4-DC1F-44AD-9B84-0AF15A714606@slsware.net>

Glenn English wrote:
> apparmor.

Ah!  I would not have thought of that one.

> In the recent Debians (Wheezy++, I think), there is a directory
> /etc/apparmor.d. In there is a file called user.sbin.named. That

Yes.  But it isn't enabled by default.  On a recently installed Debian
Jessie 8 system:

  $ dpkg -l | grep apparmor
  $ 

Usually nothing is installed to start it.  Perhaps something you
installed pulled it in as a dependency?  Looking I see one of my
systems has libapparmor1 but it is still not enabled.  So the presense
of that one library would not be enough to start it.

> After reboot, and after waiting a few minutes, there are no new
> permission error entries in the log. I realize this is kind of far
> fetched, seeing how there was no apparmor startup in init.d, but
> this has been making me crazy, and I've tried many things that
> should have fixed it, so I'd do anything.

I really don't know very much about apparmor.

> I found a note in the Debian wiki saying apparmor is installed by
> default on Wheezy and that it's started by GRUB. That might explain
> why I didn't find anything in init.d.

I don't see it installed by default on the recently installed Jessie 8
system here.  Just a data point.  I wouldn't be surprised to find that
something else (GNOME for example?) might pull it in as a dependency.

> I don't know when Bind slaves try to update the mod times on their
> zone files, but I'm pretty sure the master sends out refreshes to
> the slaves when the master restarts, so I restarted the master. Lots
> of entries in ns2's log about receiving notifies, but no permission
> errors.

Everything depends upon the DNS zone serial number.  When the master
restarts it will send a notify.  The slaves will get the notify and
check the serial number against their cached copy.  If the serial
number is the same or older then nothing further happens.  If the
serial number is newer than their cached copy they will request a
scheduled zone transfer.  It won't happen immediately to prevent a
storm of activity all at once synchronized by the notify.  But within
a randomized short time a scheduled zone transfer will then occur.

Bob

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: (should be) simple bind problem [possibly solved]
  - From: Glenn English <ghe@slsware.net>

References:
- (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem
  - From: Bob Proulx <bob@proulx.com>
- Re: (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem
  - From: Bob Proulx <bob@proulx.com>
- Re: (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem [possibly solved]
  - From: Glenn English <ghe@slsware.net>

Prev by Date: Re: How to boot without GUI
Next by Date: Re: How to boot without GUI
Previous by thread: Re: (should be) simple bind problem [solved]
Next by thread: Re: (should be) simple bind problem [possibly solved]
Index(es):
- Date
- Thread