Hi bind-users, As I was configuring DNSSEC for a domain, I ran into a conflict between the AppArmor profile in the bind9 Debian package, and what I understand to be the default / recommended file layout (the same issue as [1]). The proposed solution in [1] is to put admin-provided (i.e. zone files) in /var/lib/named -- but strikes me as inconsistent with the FHS. [2]
Is there a way to configure named to place generated files (e.g. signed zones) in a separate directory from the admin-provided files (unsigned zones?) I know of the `journal` option [3] for the journal file specifically; but I don't seem to see an equivalent for the `.signed` zonefile. I know, the FHS is not law; putting admin-provided files in /var/lib, or tweaking the AppArmor profile and allowing named to drop files in /etc/bind, would work. But putting the human's stuff in /etc and the computer's stuff in /var will save me some confusion the next time I have to debug something. I'm also down for other workarounds, if you have suggestions! Thanks, Charles [1]: https://lists.isc.org/mailman/htdig/bind-users/2020-September/103706.html [2]: https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html : "Users must never need to modify files in /var/lib to configure a package's operation.. " [3]: https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-journal --- Logs and references, for discoverability & in case I missed something: On my Debian system (package version `1:9.18.28-1~deb12u2`), I configured a zone as follows: ``` zone "cceckman.com" { type primary; file "/etc/bind/primary/auxiliary.db"; # (transfer, notify, etc. elided) dnssec-policy default; inline-signing true; } ``` After a config reload, named started reporting the following errors: ``` Nov 15 15:16:49 pvm named[79928]: /etc/bind/primary/auxiliary.db.signed.jnl: create: permission denied ... Nov 15 15:25:00 pvm named[79928]: dumping master file: /etc/bind/primary/tmp-SDhgprtsTr: open: permission denied ``` The Unix permissions were fine, but `dmesg` reported AppArmor violations: ``` [244861.365912] audit: type=1400 audit(1731682609.128:204): apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/primary/auxiliary.db.signed.jnl" pid=79928 comm="isc-net-0000" requested_mask="c" denied_mask="c" fsuid=104 ouid=104 [245026.362333] audit: type=1400 audit(1731682774.128:205): apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/primary/tmp-8s5lo8MBd2" pid=79928 comm="isc-net-0000" requested_mask="c" denied_mask="c" fsuid=104 ouid=104 ``` >From this, I found [1]. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
