On Sat, Mar 15, 2025 at 12:32 PM Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf or checkzone, but
> from journalctl I get:
> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
> and
> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
>
> and some more, but I think these 2 are the causes.
>
Maybe an apparmor problem?
I had to add write permissions to /etc/bind before bind would work for me
... which was probably my mis-configuration, but still.
file to be modified: /etc/apparmor.d/usr.sbin.named
Regards
Lee
But if I try:
> root@ns1:/etc/bind/zones# ps auxw|grep named
> bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01
> /usr/sbin/named -f -4 -u bind
> root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00 grep
> named
>
> It look to me like the user is "bind"
>
> I also have:
> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>
> I have added write permission for the bind group.
>
> I have also tried to change owner to bind, same result.
>
> I have .key .private and .state files is /var/cache/bind
>
> What does these errors mean?
> I assume that the files that it tries to write are supposed to be
> written(?)
>
> And why is it rejected?
>
> BR
> Danjel
> On 12-03-2025 23:49, Mark Andrews wrote:
>
> I shouldn’t have tried to write that on the phone from memory.
>
> dnssec-policy “unlimited” {
> keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> zone "jungersen.dk” {
> type master;
> file "/etc/bind/zones/db.jungersen.dk”;
> allow-transfer { 192.168.20.11; };
> dnssec-policy "unlimited";
> };
>
> Mark
>
>
> On 13 Mar 2025, at 09:13, Danjel Jungersen <dan...@jungersen.dk>
> <dan...@jungersen.dk> wrote:
>
> On 20-02-2025 08:40, Mark Andrews wrote:
>
> The zone is available publicly, but from public serveres not hosted by me
> (one.com).
> And points to my external ip.
> My internal bind redirects local traffic directly to local servers on local
> ip's.
>
> DNSSEC is designed to stop spoofed answers being accepted. When you create a
> local zone that overrides what is in the public zones you are effectively
> spoofing answers. As you have a DNSSEC signed public zone if you want to
> have these spoofed answers accepted you need to do one of the following:
>
> 1) create a working chain of trust that links to your private zone content
> Long 1 is the best long term solution....
>
> So this is the way I will try to go.
>
> You currently have the following DS which means you are using ECDSAP256SHA256
> (13) as the DNSSEC key algorithm.
> jungersen.dk. 7200 IN DS 26658 13 2
> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>
> I would add “dnssec-policy { csk lifetime unlimited algorithm
> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.
> This will add a DNSKEY record to the zone and cause it to be signed. You can
> then take the generated DNSKEY and install it as a trust anchor on the
> postfix boxes.
>
> You will need to do some reading first. Others here can give you more advice.
>
>
> I have now read a lot, and I think that actually understood some of it.
>
> I have:
> zone "jungersen.dk" {
> type master;
> file "/etc/bind/zones/db.jungersen.dk";
> allow-transfer { 192.168.20.11; };
> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> in named.conf.local
>
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>
> Line 15 is the dnssec-policy line.
>
> If I uncomment this line all is well.
>
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me
> it looks good.
>
> ????
>
> BR
> Danjel
>
>
> --
> Med venlig hilsen/Kind regards
> Danjel Jungersen
> Mail: dan...@jungersen.dk
> Mobile: +45 20 42 20 11
>
> Jungersen Grafisk ApS,
> Holsbjergvej 39, DK-2620 Albertslund,
> Denmark.
> Tel: +45 43 64 10 00
>
> WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK
> <https://www.jungersen.dk>
>
> [image: Logo] <https://www.jungersen.dk>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
