'succesful' nsupdate of remote server not persistent across nameserver restart?

[jasonsu at mail-central.com]

I'm in over my head a bit on these details, so appreciate the help.

> The smoking gun is in the hand of systemctl ...

Hadn't thought of that, but not surprised to hear it.

I inherited this, and didn't yet monkey with systemd.  But I can as needed.

Here's the systemd unit file for named:

	cat named.service
		[Unit]
		Description=Bind9 DNS Server
		After=syslog.target network-online.target
		Before=named.target
		Wants=network-online.target

		[Service]
		ExecStartPre=/opt/sbin/bind-chroot.sh /var/chroot/named rebuild
		ExecStart=/opt/bind9/sbin/named -f -t "/var/chroot/named" -u named -c /etc/named.conf
		ExecReload=/opt/sbin/bind-chroot.sh /var/chroot/named reload
		ExecReload=/opt/bind9/sbin/rndc reload
		ExecStop=/opt/bind9/sbin/rndc stop
		ExecStopPost=/opt/sbin/bind-chroot.sh /var/chroot/named destroy
		ReadOnlyDirectories=/etc
		InaccessibleDirectories=/boot
		InaccessibleDirectories=/home

		[Install]
		WantedBy=multi-user.target

And here's the chroot setup script.  From the notes I did find, this was done specifically for this opensuse system.  I haven't setup a chroot on my own yet, but I do see the cp back & forth.  Wonder if something's missing ...

	cat /opt/sbin/bind-chroot.sh
		#!/bin/bash
		CHROOT="$1"

		build_chroot() {
			mkdir -p ${CHROOT}/dev
			mkdir -p ${CHROOT}/var/{run/named,log}
			mkdir -p ${CHROOT}/lib64/engines
			mkdir -p ${CHROOT}/etc
			mkdir -p ${CHROOT}/namedb/{master,slave,working}
			mkdir -p ${CHROOT}/keys/{managed-keys,DNSSEC}
			mkdir -p ${CHROOT}/includes
			mkdir -p ${CHROOT}/var/lib/GeoIP

			populate_chroot

			mknod -m 644 ${CHROOT}/dev/null    c 1 3
			mknod -m 644 ${CHROOT}/dev/random  c 1 8
			mknod -m 644 ${CHROOT}/dev/urandom c 1 9
			chown root:named  ${CHROOT}
			chmod 750 ${CHROOT}
			chown -R named:named ${CHROOT}/namedb/{master,slave,working}
			chown named:named ${CHROOT}/var/{run,log}
			chown named:named ${CHROOT}/var/run/named
			chmod 755 ${CHROOT}/var/run/named
			chmod 666 ${CHROOT}/dev/{null,random,urandom}
			chown -R named:named ${CHROOT}/dev
		}

		populate_chroot() {
			cp -a /opt/etc/named/includes/*         ${CHROOT}/includes/                    
			cp -a /opt/etc/named/keys/*             ${CHROOT}/keys/                        
			cp -a /opt/etc/named/named.{conf,cache} ${CHROOT}/etc/                         
			cp -a /opt/etc/named/namedb/*           ${CHROOT}/namedb/                      
			cp -a /opt/etc/named/rndc.key           ${CHROOT}/                             
			cp -a /var/lib/GeoIP/*                  ${CHROOT}/var/lib/GeoIP/               
			cp    /lib64/engines/libgost.so         ${CHROOT}/lib64/engines/ 
			cp    /etc/localtime                    ${CHROOT}/etc/                            
		}

		destroy_chroot() {
			cp -af ${CHROOT}/keys/DNSSEC/*          /opt/etc/named/keys/DNSSEC/
			cp -af ${CHROOT}/namedb/master/*.signed /opt/etc/named/namedb/master/
			cp -af ${CHROOT}/namedb/slave/*         /opt/etc/named/namedb/slave/
			umount --lazy ${CHROOT}/dev
			rm -rf ${CHROOT}
		}

		case "$2" in
			build)
				build_chroot
			;;
			destroy)
				destroy_chroot
			;;
			rebuild)
				destroy_chroot
				build_chroot
			;;
			reload)
				populate_chroot
			;;
			*)
			exit 1
			;;
		esac
		exit 0

At the moment I'm looking suspiciously at that

	ReadOnlyDirectories=/etc

Also need to re-read those^ comments about in-zone & out-of-zone ....

Fwiw, afaict the server's working fine otherwise.  I'm not seeing, well let's say not yet, any errors.

Jason