Re: (should be) simple bind problem [possibly solved]

To: debianUsers <debian-user@lists.debian.org>
Subject: Re: (should be) simple bind problem [possibly solved]
From: Glenn English <ghe@slsware.net>
Date: Wed, 27 May 2015 14:00:07 -0600
Message-id: <[🔎] 5F1AB695-7C98-47CB-87EE-8F588E440D3A@slsware.net>
In-reply-to: <[🔎] 20150527123700075697095.NoCcsPlease@bob.proulx.com>
References: <[🔎] 8390D5F5-4450-498D-A25A-5DA5C16F1883@slsware.net> <[🔎] 20150521153339683383957.NoCcsPlease@bob.proulx.com> <[🔎] 690A8994-2A57-4851-9450-67EE863EA581@slsware.net> <[🔎] 20150525003502073673559.NoCcsPlease@bob.proulx.com> <[🔎] 1F3AFF71-02E5-4925-8C8F-06114A8EC768@slsware.net> <[🔎] 160CE3F4-DC1F-44AD-9B84-0AF15A714606@slsware.net> <[🔎] 20150527123700075697095.NoCcsPlease@bob.proulx.com>

On May 27, 2015, at 12:43 PM, Bob Proulx <bob@proulx.com> wrote:

> Ah!  I would not have thought of that one.

I didn't consider apparmor either. Saw a mention of it on an Ubuntu site.

> Yes.  But it isn't enabled by default.  

I really don't think it is either. But simply renaming that file in the config directory and rebooting fixed the problem. Something's doing something somewhere.

> Usually nothing is installed to start it.  Perhaps something you
> installed pulled it in as a dependency?  Looking I see one of my
> systems has libapparmor1 but it is still not enabled.  So the presense
> of that one library would not be enough to start it.

I don't know; dependency's always a possibility. But these are servers, so they're pretty lean. 

I did everything I knew of, and many I didn't. I swear apparmor isn't on these machines. There's nothing in init.d, nothing in man, and BASH says the apparmor utilities don't exist. But the config info exists. And it's in the kernel.

> I don't see it installed by default on the recently installed Jessie 8
> system here.  Just a data point.  I wouldn't be surprised to find that
> something else (GNOME for example?) might pull it in as a dependency.

We don't do GNOME. XFCE's might have, but I doubt it.

> Everything depends upon the DNS zone serial number.  When the master
> restarts it will send a notify.  The slaves will get the notify and
> check the serial number against their cached copy.  If the serial
> number is the same or older then nothing further happens.  

I think BIND might change the mod time of the zone file to reflect that it got a transfer, even if nothing changed.

> But within
> a randomized short time a scheduled zone transfer will then occur.

Yup. That's why I waited overnight to proclaim the nasty fixed. 

I just went into one of the master zone files, added a char to it (and upped the serial), and restarted the master. The transfer of the changed zone file was logged by the slave server, but no error of any kind. The slave zone file has the updated serial and the change I made. All the slave zones files are dated today.

I claim it's fixed. I'll be watching the DNS logs for a few days, though, just to be sure.

-- 
Glenn English

Reply to:

References:
- (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem
  - From: Bob Proulx <bob@proulx.com>
- Re: (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem
  - From: Bob Proulx <bob@proulx.com>
- Re: (should be) simple bind problem
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem [possibly solved]
  - From: Glenn English <ghe@slsware.net>
- Re: (should be) simple bind problem [possibly solved]
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: mysterious cruft output on Jessie amd64
Next by Date: Re: mysterious cruft output on Jessie amd64
Previous by thread: Re: (should be) simple bind problem [possibly solved]
Next by thread: Cups Problem: cups-ipp-missing-send-document
Index(es):
- Date
- Thread