>I would either change ownership of "/etc/bind" and all files and folders
>below that from "root" to "bind", or, if the group for user "bind" is also
>"bind", leave ownership as root but change group permissions to rwx for
>everything "/etc/bind" and below. You could try starting with just
>"/etc/bind" and see if that helps. Then continue down if not.
>
>Some more Linux-savvy people will no doubt have something to say on the
>matter :)
I read somewhere online that it makes sense to use /var/lib/bind or
/var/cache/bind for signed zones.
???
If bind should be denied write access to /etc/... maybe this is the way to go?
:-)
Danjel
>
>Cheers, Greg
>
>On Sat, 15 Mar 2025 at 21:25, Danjel Jungersen via bind-users <
>bind-users@lists.isc.org> wrote:
>
>> Off-list I was asked.....
>>
>> root@ns1:/etc/bind# ls -la
>> total 60
>> drwxr-sr-x 3 root bind 4096 Mar 15 16:31 .
>> drwxr-xr-x 71 root root 4096 Jan 6 08:40 ..
>> -rw-r--r-- 1 root root 2403 Jul 27 2024 bind.keys
>> -rw-r--r-- 1 root root 255 Jul 27 2024 db.0
>> -rw-r--r-- 1 root root 271 Jul 27 2024 db.127
>> -rw-r--r-- 1 root root 237 Jul 27 2024 db.255
>> -rw-r--r-- 1 root root 353 Jul 27 2024 db.empty
>> -rw-r--r-- 1 root root 270 Jul 27 2024 db.local
>> -rw-r--r-- 1 root bind 458 Jul 27 2024 named.conf
>> -rw-r--r-- 1 root bind 498 Jul 27 2024 named.conf.default-zones
>> -rw-r--r-- 1 root bind 737 Mar 13 08:41 named.conf.local
>> -rw-r--r-- 1 root bind 950 Jan 30 08:58 named.conf.options
>> -rw-r----- 1 bind bind 100 Jan 3 15:27 rndc.key
>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>> -rw-r--r-- 1 root root 1317 Jul 27 2024 zones.rfc1918
>>
>> root@ns1:/etc/bind/zones# ls -la
>> total 20
>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 .
>> drwxr-sr-x 3 root bind 4096 Mar 15 16:31 ..
>> -rw-rw-r-- 1 root bind 445 Jan 5 17:58 db.192.168
>> -rw-rw-r-- 1 root bind 509 Jan 5 17:12 db.jg1.jungersen.dk
>> -rw-rw-r-- 1 root bind 681 Mar 15 16:54 db.jungersen.dk
>>
>> I was also aksed about the setgid bit, I have no reason/explanation for it.
>> Nor do I have any special wishes, so if it is best practice to do it
>> differently, I can change it.
>>
>> Apparmor was also mentioned, I have no experience with that, and have not
>> changed it in any way (to my knowledge)...
>>
>> if I have opened up too much in my effort to make it work, please let me
>> know, I wish to keep it as tight as possible.
>>
>> :-)
>> Danjel
>>
>>
>> On 15-03-2025 17:31, Danjel Jungersen via bind-users wrote:
>>
>> I'm so sorry, but I have to trouble you guys again.
>>
>> The help below helped, I have no errors from checkconf or checkzone, but
>> from journalctl I get:
>> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
>> and
>> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
>>
>> and some more, but I think these 2 are the causes.
>>
>> But if I try:
>> root@ns1:/etc/bind/zones# ps auxw|grep named
>> bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01
>> /usr/sbin/named -f -4 -u bind
>> root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00 grep
>> named
>>
>> It look to me like the user is "bind"
>>
>> I also have:
>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>>
>> I have added write permission for the bind group.
>>
>> I have also tried to change owner to bind, same result.
>>
>> I have .key .private and .state files is /var/cache/bind
>>
>> What does these errors mean?
>> I assume that the files that it tries to write are supposed to be
>> written(?)
>>
>> And why is it rejected?
>>
>> BR
>> Danjel
>> On 12-03-2025 23:49, Mark Andrews wrote:
>>
>> I shouldn’t have tried to write that on the phone from memory.
>>
>> dnssec-policy “unlimited” {
>> keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
>> };
>>
>> zone "jungersen.dk” {
>> type master;
>> file "/etc/bind/zones/db.jungersen.dk”;
>> allow-transfer { 192.168.20.11; };
>> dnssec-policy "unlimited";
>> };
>>
>> Mark
>>
>>
>> On 13 Mar 2025, at 09:13, Danjel Jungersen <dan...@jungersen.dk>
>> <dan...@jungersen.dk> wrote:
>>
>> On 20-02-2025 08:40, Mark Andrews wrote:
>>
>> The zone is available publicly, but from public serveres not hosted by me
>> (one.com).
>> And points to my external ip.
>> My internal bind redirects local traffic directly to local servers on local
>> ip's.
>>
>> DNSSEC is designed to stop spoofed answers being accepted. When you create
>> a local zone that overrides what is in the public zones you are effectively
>> spoofing answers. As you have a DNSSEC signed public zone if you want to
>> have these spoofed answers accepted you need to do one of the following:
>>
>> 1) create a working chain of trust that links to your private zone content
>> Long 1 is the best long term solution....
>>
>> So this is the way I will try to go.
>>
>> You currently have the following DS which means you are using
>> ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>> jungersen.dk. 7200 IN DS 26658 13 2
>> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>>
>> I would add “dnssec-policy { csk lifetime unlimited algorithm
>> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.
>> This will add a DNSKEY record to the zone and cause it to be signed. You
>> can then take the generated DNSKEY and install it as a trust anchor on the
>> postfix boxes.
>>
>> You will need to do some reading first. Others here can give you more advice.
>>
>>
>> I have now read a lot, and I think that actually understood some of it.
>>
>> I have:
>> zone "jungersen.dk" {
>> type master;
>> file "/etc/bind/zones/db.jungersen.dk";
>> allow-transfer { 192.168.20.11; };
>> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
>> };
>>
>> in named.conf.local
>>
>> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>>
>> Line 15 is the dnssec-policy line.
>>
>> If I uncomment this line all is well.
>>
>> Can anyone tell me what is wrong with this line?
>> I have copy pasted it from the suggestion, and have read some online, to me
>> it looks good.
>>
>> ????
>>
>> BR
>> Danjel
>>
>>
>> --
>> Med venlig hilsen/Kind regards
>> Danjel Jungersen
>> Mail: dan...@jungersen.dk
>> Mobile: +45 20 42 20 11
>>
>> Jungersen Grafisk ApS,
>> Holsbjergvej 39, DK-2620 Albertslund,
>> Denmark.
>> Tel: +45 43 64 10 00
>>
>> WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK
>> <https://www.jungersen.dk>
>>
>> [image: Logo] <https://www.jungersen.dk>
>>
>> --
>> Med venlig hilsen/Kind regards
>> Danjel Jungersen
>> Mail: dan...@jungersen.dk
>> Mobile: +45 20 42 20 11
>>
>> Jungersen Grafisk ApS,
>> Holsbjergvej 39, DK-2620 Albertslund,
>> Denmark.
>> Tel: +45 43 64 10 00
>>
>> WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK
>> <https://www.jungersen.dk>
>>
>> [image: Logo] <https://www.jungersen.dk>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
