Zone transfer, could not set file modification time / permission denied - Proxmox / Ubuntu 12LTS / Virtualmin


We have 2 container on a Proxmox host system, each Ubuntu V12 LTS + Virtualmin/Webmin latest.
VM1 and VM2 are set up with BIND - vice versa master/slave.

Zone transfers do work if BIND ist stopped and started again or if you do a system reboot.
If a zone file is altered, the master notifies the slave, but I get a permission denied error in daemon.log on the slave machine:

zone refresh:
could not set file modification time of ‘/var/lib/bind/’: permission denied

The owner for zone files (user:group) is set to root:bind (BIND, Module Config, zone file options).
I changed group/owner to root:bind on the slave /var/lib/bind - did not help.

Are there special permission requirements for /var/lib/bind and etc/bind?

Does anybody has encountered the same problems?
Any hints?

Thanks in advance!

The ownership for the hosts files in /var/lib/bind should be “bind:bind”, at least that’s what they are on my Ubuntu systems.

I recall similar issues a while ago, which I solved by changing the default ownership for new zones in the Webmin config to “bind:bind” (Webmin -> Servers -> BIND -> Module Config -> Zone file options -> Owner for zone files". Existing zone files you need to “chown” manually.

Thanks Locutus,
I chowned the /var/lib/bind directories but still the same error.

The only thing I did not test yet is setting permissions to 777 (now 775).
I setup RNDC again, checked the Webmin Servers Index/BIND Cluster Slave Servers, changed the owner for zone files, …

I’m clueless and grateful for every tip!


You wouldn’t want to set those files to 777, because then any user on the system can modify them, since everyone has access to /var/lib/bind.

Please make sure that the all the files in /var/lib/bind have “bind:bind” as owner, and that they get re-created with that owner when the slave updates the zone.

You should not require RNDC for a simple zone update (after it was changed on the master), because that’s something the BIND instances on both servers do by themselves thru the DNS protocol.

Also, I just noticed in your initial post you said that you found the errors in “daemon.log”. I’m sorry, but I’m not familiar with that logfile on an Ubuntu system. :slight_smile: Is it specifically from BIND? Or did you mean the syslog file?

Hello Locutus,

it took a while - but now the zone transfer works!
Setting the owner to “bind:bind” did it.

Thanks a lot!

PS: daemon.log ist the BIND logfile in /var/log