Hi,
Thanks for pointing that out.
As mentioned before, prior to this dnssec everything was working fine.
Maybe not in the way it should, but working at last. Now I'm dealing
with the slave misbeheving. So, as soon as I could reach harmony will
take care of the permissions.
El 2023-06-30
Hoi Daniel,
How about setting ownership correctly. I see a mix of ownerships and
to my knowledge it should all be owned by bind.bind. Not root.bind or
root.root or bind.root. And then you can reset permissions on the
files back to 644 or 640. For the directories it should be 755 or 750.
(As to
And you were right...
Since the zone was not being signed, I enabled the logs for dnssec, and
found this error message:
dnssec: zone unau.edu.ar/IN (signed): zone_rekey:dns_dnssec_keymgr
failed: error occurred writing key to disk
dnssec: zone unau.edu.ar/IN (signed): zone_rekey failure:
Mark Andrews wrote:
> where wrong and wouldn’t normally be that way. Something or someone
> changed them. It may have happened again. We can’t see what you see
And, AppArmor can turn things into permission denied, which are rather
mysterious. So, I'd ask for dmesg output too.
El 29/6/23 a las 09:40, Anand Buddhdev escribió:
On 29/06/2023 14:13, Daniel Armando Rodriguez via bind-users wrote:
[snip]
Error is not the same as before, I see it know (fresh eyes maybe)
Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400
audit(1688038957.685:548):
On 29/06/2023 14:13, Daniel Armando Rodriguez via bind-users wrote:
[snip]
Error is not the same as before, I see it know (fresh eyes maybe)
Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400
audit(1688038957.685:548): apparmor="DENIED" operation="mknod"
profile="named"
=== /etc/bind
total 84K
drwxr-sr-x 3 root bind 4,0K jun 28 17:07 .
drwxr-xr-x 134 root root 12K jun 22 11:15 ..
-rw-r--r-- 1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r-- 1 root root 255 feb 26 06:27 db.0
-rw-r--r-- 1 root root 271 jun 30 2017 db.127
-rw-r--r-- 1 root root 237
I suspect permissions on the key-directory are not yet correct:
key-directory "/var/cache/bind/keys";
On 6/28/23 22:35, Daniel Armando Rodriguez via bind-users wrote:
However, as soon as I added this
dnssec-policy "default";
inline-signing yes;
Error came up again :-(
--
Show us the current permissions now that you have fixed them including every
directory from
the root. The permissions you had originally where wrong and wouldn’t normally
be that way.
Something or someone changed them. It may have happened again. We can’t see
what you see
so you have to show
Exactly the same
El 28 de junio de 2023 6:50:26 p. m. GMT-03:00, Mark Andrews
escribió:
>The *exact* same error, word for word, or a different permission denied?
>
>> On 29 Jun 2023, at 06:35, Daniel Armando Rodriguez via bind-users
>> wrote:
>>
>> However, as soon as I added this
>>
>>
The *exact* same error, word for word, or a different permission denied?
> On 29 Jun 2023, at 06:35, Daniel Armando Rodriguez via bind-users
> wrote:
>
> However, as soon as I added this
>
> dnssec-policy "default";
> inline-signing yes;
>
> Error came up again :-(
> --
> Visit
However, as soon as I added this
dnssec-policy "default";
inline-signing yes;
Error came up again :-(
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us
El 2023-06-28 16:00, Anand Buddhdev escribió:
On 28/06/2023 20:44, Daniel Armando Rodriguez via bind-users wrote:
Hi Daniel,
[snip]
# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind 323 ene 16 10:59
Certainly, you pointed in the right direction :-)
Previously I've had setted up setgid bit to /etc/bind/zonas/ due to
complains from apparmor. Now, I've removed that bit and added an
override to such folder in /etc/apparmor.d/local/usr.sbin.named.
Et voila!
However, I wonder the reason
On 28/06/2023 20:44, Daniel Armando Rodriguez via bind-users wrote:
Hi Daniel,
[snip]
# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind 323 ene 16 10:59 133.45.210.170.in-addr.arpa
-rwxr-xr-- 1 bind bind
Hello,
I think
chmod ug+x /etc/bind/zonas/
should solve the issue by giving the
owner (bind) and the group (bind) permissions to enter the
directory.
Danilo
On
Before I start describing the problem, I should mention that this
incident started when I tried to enable DNSSEC. I understand that it is
unrelated, but previously everything was working correctly.
I'm using Debian 11 and Bind 9.18 from backports
This is current config
# named-checkconf
17 matches
Mail list logo
