On 10.05.2016 21:36, Александр Кириллов wrote: >>> I'm also using ddns and have my zone files in >>> /var/named/chroot/var/named/dynamic. >> are you using DDNS in DualStack (IPv4 and IPv6 together) or do you >> have only DHCP or DHCPv6 and not both? > > IPv4 only. > if a host has IPv4 only or IPv6 only this works fine, but when a host has both - DualStack somethimes it works sometimes only one - can be IPv4 or can be IPv6 works; and in /var/log/messages I get something like May 10 18:51:30 dnssrvr named[2526]: client 192.168.1.2#38618: view wkst: updating zone 'ddns.local/IN': update unsuccessful: WIN7HOST.ddns.local: 'name not in use' prerequisite not satisfied (YXDOMAIN) for several times; >> By default, SELinux prevents any role from modifying named_zone_t >> files; this means that files in the zone database directory >> cannot be >> modified by dynamic DNS (DDNS) updates or zone transfers. >> >> The Red Hat BIND distribution and SELinux policy creates three >> directories where named is allowed to create and modify files: >> /var/named/slaves, /var/named/dynamic /var/named/data. By >> placing files >> you want named to modify, such as slave or DDNS updateable >> zone files >> and database / statistics dump files in these directories, >> named will >> work normally and no further operator action is required. >> Files in >> these directories are automatically assigned the >> ’named_cache_t’ file >> context, which SELinux allows named to write." > > That's probably why I have updateable zone files in chrooted > /var/named/dynamic. > Default targeted policy comes with necessary rules for chrooted bind. See > > # semanage fcontext -l | grep named_ > I have them in /var/named/dynamic