Master file permission denied

Daniel Armando Rodriguez drodriguez at unau.edu.ar
Wed Jun 28 18:44:04 UTC 2023 


Before I start describing the problem, I should mention that this 
incident started when I tried to enable DNSSEC. I understand that it is 
unrelated, but previously everything was working correctly.

I'm using Debian 11 and Bind 9.18 from backports

This is current config

# named-checkconf -px
options {
     directory "/var/cache/bind/";
     listen-on  {
         127.0.0.1/32;
         170.210.45.130/32;
     };
     listen-on-v6  {
         2800:110:44:6260::130/128;
     };
     querylog yes;
     transfers-in 20;
     transfers-per-ns 20;
     version "Info not currently available";
     allow-recursion {
         "localhost";
         ::1/128;
         170.210.0.0/16;
         2800:110:44:6260::/64;
     };
     auth-nxdomain no;
     recursion yes;
     allow-query {
         "any";
     };
     allow-transfer  {
         "none";
     };
     key-directory "/var/cache/bind/keys";
     masterfile-format text;
};
statistics-channels {
     inet 127.0.0.1 port 8053 allow {
         127.0.0.1/32;
     };
};
zone "10.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/db.empty";
};
zone "unau.edu.ar" {
     type primary;
     file "/etc/bind/zonas/db.unau.edu.ar";
     allow-query {
         "any";
     };
     allow-transfer  {
         170.210.45.131/32;
     };
     allow-update {
         "none";
     };
     also-notify {
         170.210.45.131;
     };
     serial-update-method increment;
};
zone "133.45.210.170.in-addr.arpa" {
     type primary;
     file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";
     allow-transfer  {
         170.210.45.131/32;
     };
     also-notify {
         170.210.45.131;
     };
};
zone 
"3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" 
{
     type primary;
     file 
"/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";
     allow-transfer  {
         170.210.45.131/32;
     };
     also-notify {
         170.210.45.131;
     };
};
zone "." {
     type hint;
     file "/usr/share/dns/root.hints";
};
zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};

File permissions

# ls -alh /etc/bind

-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r--   1 root root  255 feb 26 06:27 db.0
-rw-r--r--   1 root root  271 jun 30  2017 db.127
-rw-r--r--   1 root root  237 jun 30  2017 db.255
-rw-r--r--   1 root root  353 jun 30  2017 db.empty
-rw-r--r--   1 root root  270 jun 30  2017 db.local
-rw-r--r--   1 root root 3,1K may  3  2019 db.root
-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
-rw-r--r--   1 root root 1,2K jun 28 15:06 named.conf.local
-rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.options
-rw-r-----   1 bind bind  144 may 17 13:51 rndc.key
drw-r-S---   2 bind bind 4,0K jun 28 14:55 zonas
-rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918

# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa
-rwxr-xr-- 1 bind bind  394 ene 16 10:58 
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa
-rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar

Error messages

zone unau.edu.ar/IN: loading from master file 
/etc/bind/zonas/db.unau.edu.ar failed: permission denied
zone unau.edu.ar/IN: not loaded due to errors.

Named is running as bind user

I would be grateful for any enlightening ideas.

________________________________________________

  Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar [1]



Links:
------
[1] https://informatica.unau.edu.ar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230628/61334104/attachment-0001.htm>

More information about the bind-users mailing list