Re: DNSSEC transition from manually signed zone to dnssec-policy "standard" failed

Sun, 05 Jun 2022 21:19:48 -0700

Oops. A tutorial made me put dynamically updated zones in /var/cache/bind (See: https://wiki.debian.org/DDNS ), and it is now working. I could stop the BIND, move directories, and update named.conf.local ...
Probably I would feel safer if BIND is confined in an entirely separate namespace (at least unshare or a full-featured container) now that 9.18.x is also running DNS-over-HTTPS ... 


I see an Ubuntu 20.04 LTS Docker image here: 
https://hub.docker.com/r/internetsystemsconsortium/bind9, however I am 
running Debian and I cannot afford a minute of downtime on our 
production systems. It would prevent people from using Internet on all 
of our locations. Windows 10 just doesn't know how to use the second 
nameserver in DHCP list, if first is not performing well. The system 
became unusable campus-wide ...


Mirsad

On 6/4/2022 12:36 PM, Bjørn Mork wrote:

Mirsad Goran Todorovac <mirsad.todoro...@alu.unizg.hr> writes:


Apparently, APPARMOR denied opening of the journal file in
/etc/bind/zones even when the directory hand bind group write
permissions.

Looking at the default policy in /etc/apparmor.d/usr.sbin.named in the
Debian bind9 package, I see that /etc/bind/ only have read access:

   # /etc/bind should be read-only for bind
   # /var/lib/bind is for dynamically updated zone (and journal) files.
   # /var/cache/bind is for slave/stub data, since we're not the origin of it.
   # See /usr/share/doc/bind9/README.Debian.gz
   /etc/bind/** r,
   /var/lib/bind/** rw,
   /var/lib/bind/ rw,
   /var/cache/bind/** lrw,
   /var/cache/bind/ rw,


You can probably override this with a local policy, but I guess life is
easier if you just go with the flow.  If you really want to use
apparmor, that is...


Bjørn


--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to