Certbot rfc2136

Tue Oct 26 13:39:18 UTC 2021

> On 26 Oct 2021, at 21:23, Paul van der Vlis <paul at vandervlis.nl> wrote:
> 
> Hi Mark, and others,
> 
> Op 25-10-2021 om 23:58 schreef Mark Andrews:
>>> On 26 Oct 2021, at 08:02, Paul van der Vlis <paul at vandervlis.nl> wrote:
>>> 
>>> Hello,
>>> 
>>> I've made some progress..
>>> 
>>> Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
>>> (...)
>>>> I've tried to specify the "key-directory" in the bind configuration, but when I do that I get an error during "rndc reload", so I cannot specify a key-directory.  This is Bind 9.16.15 from Debian 11.
>>>> What do I wrong?
>>> 
>>> What I did wrong here, is putting this key-directory option into the bind configuration (/etc/bind/named.conf). The correct place is in the zone, so I did put it in the "rndc modzone" command. This works ;-)
>> Well it can go in named.conf.  It needs to be in the options and/or view and/or zone sections.  This is documented.
> 
> OK..  Maybe it would work if I did put it in the options file.
> 
>>> But now I have a next problem:
>>> ------
>>> Oct 25 22:27:53 ns1 kernel: [540901.362643] audit: type=1400 audit(1635193673.521:12): apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/zones/hallo24.nl.signed.jnl" pid=343 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
>>> Oct 25 22:27:53 ns1 named[343]: /etc/bind/zones/hallo24.nl.signed.jnl: create: permission denied
>>> ------
>>> 
>>> Hmm, maybe it's not a good idea that bind would change those static configfiles. What I would like, is that bind would change only temporary the database in /var/cache/bind/ . Would that be possible?  Or do you have a better idea?
>> It’s not named’s job to update SELinux or AppArmour. I suspect we would get complaints if we attempted to do that. Changing security policy is the job of the operator.
> 
> I know how to configure apparmor, my question is not about that.
> 
> My question is about what is a good way to implement rfc2136 in Bind.

Use DDNS with TSIG or SIG(0) as authentication.

> I guess it's not a good idea that Bind really changes the zone-files in /etc/bind using rfc2136 because /etc is for static configuration data. But maybe I am wrong.
> 
> Is it the way to go to update Apparmor to make Bind write in /etc/bind , or is there a better way?

The point of AppArmour is to prevent files being accidentally modified that shouldn’t be.  There is nothing special about /etc/bind except convention.  If all the files in there are to be modified by named change AppArmour to allow named to write to it otherwise put the zone file in a directory that is allowed to be updated.  There is nothing wrong with named modifying primary files if that is the intention.

> With regards,
> Paul van der Vlis.
> 
> -- 
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org