I’m slowly migrating the various services running on my old server (running Fedora Core 3, 32-bit) to a new dual Opteron server (FC5, 64-bit).
In general, moving email services is causing the most hassle, because in the process I’m converting from Qmail to Postfix. However, I’m finding various little gotchas with almost everything I move over.
For instance, I just migrated my DNS name server. Both machines are running ISC Bind 9, so I thought it should be a piece of cake. I did try to clean up the configuration and the file organization a bit in the process, and the new machine is running named in a chroot jail, but I still didn’t expect to have to change much. In theory, there’s not much difference between theory and practice, but in practice there’s a lot.
Actually I didn’t have to change very much. The trick was figuring out what to change. The syslog was showing no indication that the master zones were being loaded, though it did show zone transfers for the slave zones. With debugging cranked up, it showed that it was trying to load the master zones, but getting “permission denied” errors. (It seems to me that those are serious enough that they should always be logged, not just when the debug level is cranked up.)
It took me several hours to track this down and fix it. The permissions looked OK. The files were owned by root, and had 644 permissions (world and group readable), so bind should have been able to read them even running as a non-root user in the chroot jail.
I tried changing the paths in the configuration files from relative to absolute (within the chroot), and that didn’t help any, so I changed them back.
What finally tipped me off is that I tried moving one of the zone files from its subdirectory into the /var/named directory (inside the chroot), and then it loaded that zone file OK. I’d created the subdirectories as root, and apparently my umask must have been strange, because the permissions were 744 (group and world execute permissions off). In Linux and Unix, the execute permission on a directory controls whether file lookup can be done in that directory, so a more typical directory permission would be 755. Changing this made bind happy.