On Пят, 15 жні 2025, Jo Rhett via FreeIPA-users wrote:
It’s probably specific to the bind chroot. Bind is usually chroot to
/var/named/... so anything in /var/log would be outside the chroot.
Correct. The bind build in Fedora and RHEL is made to allow both
chrooted and non-chrooted bind deployments and we have to follow the
common configuration logic.
On Aug 15, 2025, at 11:52 AM, Rob Crittenden via FreeIPA-users
<[email protected]> wrote:
Ian Pilcher via FreeIPA-users wrote:
I am experiencing sporadic DNS failures on my Fedora 42-based FreeIPA
server on my home network, and I've been digging into the BIND logging
configuration to try to figure out what is going on.
The main BIND logging configuration seems to come from
/etc/named/ipa-logging-ext.conf. I have no memory of creating this
file, but it also doesn't seem to be part of any RPM.
Was this file created by the FreeIPA installer? (If not, ignore the
next question.)
Yes, the IPA server installer creates it. I suppose we should %ghost
that file in our spec.
Assuming that /etc/named/ipa-logging-ext.conf was created by the FreeIPA
installer (or it otherwise "comes from" FreeIPA), what is the reasoning
for putting all of the log files in /var/named/data, rather than some-
where under /var/log?
Disclaimer: I only know enough DNS to be dangerous. Take the following
with a grain of salt.
I think that traditionally /var/named/data was used for logs. In my days
as a sysadmin[1] that is where the named logs have always been. I think
that is the way that Fedora and RHEL are configured for out-of-the-box.
The template for this custom logging file hasn't changed since it was
introduced in 2021 and it mentioned it follows recommendations from
https://kb.isc.org/docs/aa-01526
That is true for the settings but not for log directory. Now maybe the
creator of the file just stuck with the rpm defaults since we know the
directory /var/named/data will exist whereas who knows about
/var/log/named. Maybe he'll chime in here.
I have /var/log on a separate filesystem, but that obviously doesn't
prevent my root filesystem being filled with DNS logs if those aren't
going into that location.
If I modify /etc/named/ipa-logging-ext.conf to put the BIND logs under
/var/log, rather than /var/named, am I going to break something?
I'm not aware of any issues with that beyond typical problems like
existence, permissions and SELinux. We don't seem to run bind in a
chroot so I think you'd be fine using absolute file names assuming the
rest is worked out.
rob
[1] My O'Reilly DNS and BIND book is from 1993. I'm afraid to see what
versions of bind it covers. It's been ages since anyone has trusted me
to run a DNS server.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
