DNSSEC transition from manually signed zone to dnssec-policy "standard" failed
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Mon Jun 6 04:18:48 UTC 2022
Oops. A tutorial made me put dynamically updated zones in
/var/cache/bind (See: https://wiki.debian.org/DDNS ), and it is now
working. I could stop the BIND, move directories, and update
named.conf.local ...
Probably I would feel safer if BIND is confined in an entirely separate
namespace (at least unshare or a full-featured container) now that
9.18.x is also running DNS-over-HTTPS ...
I see an Ubuntu 20.04 LTS Docker image here:
https://hub.docker.com/r/internetsystemsconsortium/bind9, however I am
running Debian and I cannot afford a minute of downtime on our
production systems. It would prevent people from using Internet on all
of our locations. Windows 10 just doesn't know how to use the second
nameserver in DHCP list, if first is not performing well. The system
became unusable campus-wide ...
Mirsad
On 6/4/2022 12:36 PM, Bjørn Mork wrote:
> Mirsad Goran Todorovac <mirsad.todorovac at alu.unizg.hr> writes:
>
>> Apparently, APPARMOR denied opening of the journal file in
>> /etc/bind/zones even when the directory hand bind group write
>> permissions.
> Looking at the default policy in /etc/apparmor.d/usr.sbin.named in the
> Debian bind9 package, I see that /etc/bind/ only have read access:
>
> # /etc/bind should be read-only for bind
> # /var/lib/bind is for dynamically updated zone (and journal) files.
> # /var/cache/bind is for slave/stub data, since we're not the origin of it.
> # See /usr/share/doc/bind9/README.Debian.gz
> /etc/bind/** r,
> /var/lib/bind/** rw,
> /var/lib/bind/ rw,
> /var/cache/bind/** lrw,
> /var/cache/bind/ rw,
>
>
> You can probably override this with a local policy, but I guess life is
> easier if you just go with the flow. If you really want to use
> apparmor, that is...
>
>
> Bjørn
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the bind-users
mailing list