BIND allows hosts to update their records in DNS and zone files dynamically. This is used when a host computer's IP address changes frequently and the DNS record requires real-time modification.
Use the /var/named/dynamic
directory for zone files you want updated via dynamic DNS. Files created in or copied into /var/named/dynamic
inherit Linux permissions that allow named
to write to them. As such files are labeled with the named_cache_t
type, SELinux allows named
to write to them.
If a zone file in /var/named/dynamic
is labeled with the named_zone_t
type, dynamic DNS updates may not be successful for a certain period of time as the update needs to be written to a journal first before being merged. If the zone file is labeled with the named_zone_t
type when the journal attempts to be merged, an error such as the following is logged to /var/log/messages
:
named[PID]: dumping master file: rename: /var/named/dynamic/zone-name: permission denied
Also, the following SELinux denial is logged to /var/log/messages
:
setroubleshoot: SELinux is preventing named (named_t) "unlink" to zone-name (named_zone_t)
To resolve this labeling issue, run the restorecon -R -v /var/named/dynamic
command as the Linux root user.