Certbot rfc2136
Paul van der Vlis
paul at vandervlis.nl
Mon Oct 25 21:02:57 UTC 2021
Hello,
I've made some progress..
Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
(...)
> I've tried to specify the "key-directory" in the bind configuration, but
> when I do that I get an error during "rndc reload", so I cannot specify
> a key-directory. This is Bind 9.16.15 from Debian 11.
>
> What do I wrong?
What I did wrong here, is putting this key-directory option into the
bind configuration (/etc/bind/named.conf). The correct place is in the
zone, so I did put it in the "rndc modzone" command. This works ;-)
But now I have a next problem:
------
Oct 25 22:27:53 ns1 kernel: [540901.362643] audit: type=1400
audit(1635193673.521:12): apparmor="DENIED" operation="mknod"
profile="named" name="/etc/bind/zones/hallo24.nl.signed.jnl" pid=343
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Oct 25 22:27:53 ns1 named[343]: /etc/bind/zones/hallo24.nl.signed.jnl:
create: permission denied
------
Hmm, maybe it's not a good idea that bind would change those static
configfiles. What I would like, is that bind would change only temporary
the database in /var/cache/bind/ . Would that be possible? Or do you
have a better idea?
This is the rndc modzone command what I give at the moment:
------
rndc modzone hallo24.nl "{ type master; file
\"/etc/bind/zones/hallo24.nl.signed\"; key-directory \"/etc/bind/keys\";
allow-transfer { 91.198.178.25; 2a01:1b0:7999:424::25; 45.95.238.187;
2a10:3781:13b6::2; }; update-policy {grant test3.hallo24.nl. name
_acme-challenge.test3.hallo24.nl. txt;}; };"
------
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
More information about the bind-users
mailing list