> On 26 Oct 2021, at 08:02, Paul van der Vlis <p...@vandervlis.nl> wrote:
>
> Hello,
>
> I've made some progress..
>
> Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
> (...)
>> I've tried to specify the "key-directory" in the bind configuration, but
>> when I do that I get an error during "rndc reload", so I cannot specify a
>> key-directory. This is Bind 9.16.15 from Debian 11.
>> What do I wrong?
>
> What I did wrong here, is putting this key-directory option into the bind
> configuration (/etc/bind/named.conf). The correct place is in the zone, so I
> did put it in the "rndc modzone" command. This works ;-)
Well it can go in named.conf. It needs to be in the options and/or view and/or
zone sections. This is documented.
> But now I have a next problem:
> ------
> Oct 25 22:27:53 ns1 kernel: [540901.362643] audit: type=1400
> audit(1635193673.521:12): apparmor="DENIED" operation="mknod" profile="named"
> name="/etc/bind/zones/hallo24.nl.signed.jnl" pid=343 comm="isc-worker0000"
> requested_mask="c" denied_mask="c" fsuid=107 ouid=107
> Oct 25 22:27:53 ns1 named[343]: /etc/bind/zones/hallo24.nl.signed.jnl:
> create: permission denied
> ------
>
> Hmm, maybe it's not a good idea that bind would change those static
> configfiles. What I would like, is that bind would change only temporary the
> database in /var/cache/bind/ . Would that be possible? Or do you have a
> better idea?
It’s not named’s job to update SELinux or AppArmour. I suspect we would get
complaints if we attempted to do that. Changing security policy is the job of
the operator.
> This is the rndc modzone command what I give at the moment:
> ------
> rndc modzone hallo24.nl "{ type master; file
> \"/etc/bind/zones/hallo24.nl.signed\"; key-directory \"/etc/bind/keys\";
> allow-transfer { 91.198.178.25; 2a01:1b0:7999:424::25; 45.95.238.187;
> 2a10:3781:13b6::2; }; update-policy {grant test3.hallo24.nl. name
> _acme-challenge.test3.hallo24.nl. txt;}; };"
> ------
>
> With regards,
> Paul van der Vlis
>
> --
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
