Permission issue ¿?

2023-06-22 Thread Daniel Armando Rodriguez via bind-users 
As of this morning I'm getting this error on log, and was working fine 
previously


loading configuration from '/etc/bind/named.conf'
directory '/etc/bind' is not writable
/etc/bind/named.conf.options:2: parsing failed: permission denied

/etc/bind detail

drwxr-sr-x   4 root bind 4,0K jun 22 11:17 .

drwxr-xr-x 134 root root  12K jun 22 11:15 ..

-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys

-rw-r--r--   1 root root  255 feb 26 06:27 db.0

-rw-r--r--   1 root root  271 jun 30  2017 db.127

-rw-r--r--   1 root root  237 jun 30  2017 db.255

-rw-r--r--   1 root root  353 jun 30  2017 db.empty

-rw-r--r--   1 root root  270 jun 30  2017 db.local

-rw-r--r--   1 root root 3,1K may  3  2019 db.root

drwxr-sr-x   2 bind bind 4,0K abr 20 20:01 keys

-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf

-rw-r--r--   1 root bind  498 ago 25  2020 named.conf.default-zones

-rw-r--r--   1 root bind 1,2K jun 22 10:58 named.conf.local

-rw-r--r--   1 root bind  554 ene 16 11:33 named.conf.local.save

-rw-r--r--   1 root bind 2,7K jun 22 11:01 named.conf.options

-rw-r--r--   1 root bind  846 ago 25  2020 named.conf.options.dpkg-dist

-rw-r-   1 bind bind  144 may 17 13:51 rndc.key

drwxr-sr-x   2 root bind 4,0K jun 21 16:54 zonas

-rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918

Using Named 9.18


Any clues?





*Daniel A. Rodriguez*
/Informática, Conectividad y Sistemas/
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master file permission denied

2023-06-28 Thread Daniel Armando Rodriguez via bind-users 



Before I start describing the problem, I should mention that this 
incident started when I tried to enable DNSSEC. I understand that it is 
unrelated, but previously everything was working correctly.


I'm using Debian 11 and Bind 9.18 from backports

This is current config

# named-checkconf -px
options {
directory "/var/cache/bind/";
listen-on  {
127.0.0.1/32;
170.210.45.130/32;
};
listen-on-v6  {
2800:110:44:6260::130/128;
};
querylog yes;
transfers-in 20;
transfers-per-ns 20;
version "Info not currently available";
allow-recursion {
"localhost";
::1/128;
170.210.0.0/16;
2800:110:44:6260::/64;
};
auth-nxdomain no;
recursion yes;
allow-query {
"any";
};
allow-transfer  {
"none";
};
key-directory "/var/cache/bind/keys";
masterfile-format text;
};
statistics-channels {
inet 127.0.0.1 port 8053 allow {
127.0.0.1/32;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "unau.edu.ar" {
type primary;
file "/etc/bind/zonas/db.unau.edu.ar";
allow-query {
"any";
};
allow-transfer  {
170.210.45.131/32;
};
allow-update {
"none";
};
also-notify {
170.210.45.131;
};
serial-update-method increment;
};
zone "133.45.210.170.in-addr.arpa" {
type primary;
file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";
allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};
zone 
"3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" 
{

type primary;
file 
"/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";

allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

File permissions

# ls -alh /etc/bind

-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r--   1 root root  255 feb 26 06:27 db.0
-rw-r--r--   1 root root  271 jun 30  2017 db.127
-rw-r--r--   1 root root  237 jun 30  2017 db.255
-rw-r--r--   1 root root  353 jun 30  2017 db.empty
-rw-r--r--   1 root root  270 jun 30  2017 db.local
-rw-r--r--   1 root root 3,1K may  3  2019 db.root
-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
-rw-r--r--   1 root root 1,2K jun 28 15:06 named.conf.local
-rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.options
-rw-r-   1 bind bind  144 may 17 13:51 rndc.key
drw-r-S---   2 bind bind 4,0K jun 28 14:55 zonas
-rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918

# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa
-rwxr-xr-- 1 bind bind  394 ene 16 10:58 
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa

-rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar

Error messages

zone unau.edu.ar/IN: loading from master file 
/etc/bind/zonas/db.unau.edu.ar failed: permission denied

zone unau.edu.ar/IN: not loaded due to errors.

Named is running as bind user

I would be grateful for any enlightening ideas.

___

Re: Master file permission denied

2023-06-28 Thread Daniel Armando Rodriguez via bind-users 



Certainly, you pointed in the right direction :-)

Previously I've had setted up setgid bit to /etc/bind/zonas/ due to 
complains from apparmor. Now, I've removed that bit and added an 
override to such folder in /etc/apparmor.d/local/usr.sbin.named.


Et voila!

However, I wonder the reason behind such behaviour as -as mentioned- 
previously it was working just fine.


Thanks, regards

El 2023-06-28 15:51, Danilo Godec via bind-users escribió:


Hello,

I think

chmod ug+x /etc/bind/zonas/

should solve the issue by giving the owner (bind) and the group (bind) 
permissions to enter the directory.


Danilo

On 28.6.2023 20:44, Daniel Armando Rodriguez via bind-users wrote:

Before I start describing the problem, I should mention that this 
incident started when I tried to enable DNSSEC. I understand that it 
is unrelated, but previously everything was working correctly.


I'm using Debian 11 and Bind 9.18 from backports

This is current config

# named-checkconf -px
options {
directory "/var/cache/bind/";
listen-on  {
127.0.0.1/32;
170.210.45.130/32;
};
listen-on-v6  {
2800:110:44:6260::130/128;
};
querylog yes;
transfers-in 20;
transfers-per-ns 20;
version "Info not currently available";
allow-recursion {
"localhost";
::1/128;
170.210.0.0/16;
2800:110:44:6260::/64;
};
auth-nxdomain no;
recursion yes;
allow-query {
"any";
};
allow-transfer  {
"none";
};
key-directory "/var/cache/bind/keys";
masterfile-format text;
};
statistics-channels {
inet 127.0.0.1 port 8053 allow {
127.0.0.1/32;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "unau.edu.ar" {
type primary;
file "/etc/bind/zonas/db.unau.edu.ar";
allow-query {
"any";
};
allow-transfer  {
170.210.45.131/32;
};
allow-update {
"none";
};
also-notify {
170.210.45.131;
};
serial-update-method increment;
};
zone "133.45.210.170.in-addr.arpa" {
type primary;
file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";
allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};
zone 
"3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" 
{

type primary;
file 
"/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";

allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

File permissions

# ls -alh /etc/bind

-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r--   1 root root  255 feb 26 06:27 db.0
-rw-r--r--   1 root root  271 jun 30  2017 db.127
-rw-r--r--   1 root root  237 jun 30  2017 db.255
-rw-r--r--   1 root root  353 jun 30  2017 db.empty
-rw-r--r--   1 root root  270 jun 30  2017 db.local
-rw-r--r--   1 root root 3,1K may  3  2019 db.root
-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
-rw-r--r--   1 root root 1,2K jun 28 15:06 named.conf.local
-rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.o

Re: Master file permission denied

2023-06-28 Thread Daniel Armando Rodriguez via bind-users 

El 2023-06-28 16:00, Anand Buddhdev escribió:

On 28/06/2023 20:44, Daniel Armando Rodriguez via bind-users wrote:

Hi Daniel,

[snip]


# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa
-rwxr-xr-- 1 bind bind  394 ene 16 10:58 
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa

-rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar

Error messages

zone unau.edu.ar/IN: loading from master file 
/etc/bind/zonas/db.unau.edu.ar failed: permission denied

zone unau.edu.ar/IN: not loaded due to errors.

Named is running as bind user

I would be grateful for any enlightening ideas.


The directory /etc/bind/zonas is missing the eXecute bits for the owner 
and group, and so BIND can't read files in the directory. You can 
restore the permissions with:


chmod ug+x /etc/bind/zonas


Yeah, I've messed up with the those bits.

I'll also note that the zone files in /etc/bind/zonas don't need their 
execute bits to be set. It doesn't really do any harm, but it is good 
practice to not have execute bits on data files.


Have you ever tried everything when something doesn't work? This was one 
of those cases.








 Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-28 Thread Daniel Armando Rodriguez via bind-users 

However, as soon as I added this

   dnssec-policy "default";
   inline-signing yes;

Error came up again :-(
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-29 Thread Daniel Armando Rodriguez via bind-users 

=== /etc/bind
total 84K
drwxr-sr-x   3 root bind 4,0K jun 28 17:07 .
drwxr-xr-x 134 root root  12K jun 22 11:15 ..
-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r--   1 root root  255 feb 26 06:27 db.0
-rw-r--r--   1 root root  271 jun 30  2017 db.127
-rw-r--r--   1 root root  237 jun 30  2017 db.255
-rw-r--r--   1 root root  353 jun 30  2017 db.empty
-rw-r--r--   1 root root  270 jun 30  2017 db.local
-rw-r--r--   1 root root 3,1K may  3  2019 db.root
-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
-rw-r--r--   1 root root  498 ago 25  2020 named.conf.default-zones
-rw-r--r--   1 root root 1,2K jun 28 16:51 named.conf.local
-rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.options
-rw-r-   1 bind bind  144 may 17 13:51 rndc.key
drwxr-xr-x   2 root bind 4,0K jun 28 16:54 zonas
-rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918


=== /etc/bind/zonas
total 40K
drwxr-xr-x 2 root bind 4,0K jun 28 16:54 .
drwxr-sr-x 3 root bind 4,0K jun 29 07:51 ..
-rw-r--r-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa
-rw-r--r-- 1 bind bind  394 ene 16 10:58 
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa

-rw-r--r-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar

=== /var/cache/bind/keys/
total 24K
drwxrwx--- 2 root bind 4,0K jun 23 11:26 .
drwxrwxr-x 3 root bind 4,0K jun 28 16:56 ..
-rw-r- 1 root bind  342 jun 23 11:25 Kunau.edu.ar.+013+33519.key
-rw-r- 1 root bind  187 jun 23 11:25 Kunau.edu.ar.+013+33519.private
-rw-r- 1 root bind  341 jun 23 11:25 Kunau.edu.ar.+013+44318.key
-rw-r- 1 root bind  187 jun 23 11:25 Kunau.edu.ar.+013+44318.private

Error is not the same as before, I see it know (fresh eyes maybe)

Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400 
audit(1688038957.685:548): apparmor="DENIED" operation="mknod" 
profile="named" name="/etc/bind/zonas/db.unau.edu.ar.jbk" pid=1350974 
comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Jun 29 08:42:37 web kernel: [5679658.767241] audit: type=1400 
audit(1688038957.689:549): apparmor="DENIED" operation="mknod" 
profile="named" name="/etc/bind/zonas/tmp-JjAGwma8Hr" pid=1350974 
comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400 
audit(1688038957.685:548): apparmor="DENIED" operation="mknod" 
profile="named" name="/etc/bind/zonas/db.unau.edu.ar.jbk" pid=1350974 
comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Jun 29 08:42:37 web kernel: [5679658.767241] audit: type=1400 
audit(1688038957.689:549): apparmor="DENIED" operation="mknod" 
profile="named" name="/etc/bind/zonas/tmp-JjAGwma8Hr" pid=1350974 
comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=107 ouid=107



So, shouldn't that write attempt happen in /var/cache/bind?



El 28/6/23 a las 21:18, Mark Andrews escribió:

Show us the current permissions now that you have fixed them including every 
directory from
the root.  The permissions you had originally where wrong and wouldn’t normally 
be that way.
Something or someone changed them.  It may have happened again.  We can’t see 
what you see
so you have to show more details.  If you you still have an error message 
cut-and-paste the
new one including time stamps.


On 29 Jun 2023, at 09:03, Daniel A. Rodriguez via 
bind-users  wrote:

Exactly the same


El 28 de junio de 2023 6:50:26 p. m. GMT-03:00, Mark Andrews  
escribió:
The *exact* same error, word for word, or a different permission denied?

On 29 Jun 2023, at 06:35, Daniel Armando Rodriguez via 
bind-users  wrote:

However, as soon as I added this

dnssec-policy "default";
inline-signing yes;

Error came up again :-(
--
Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us athttps://www.isc.org/contact/  for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us athttps://www.isc.org/contact/  for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

*Daniel A. Rodriguez*
/Informática, Conectividad y Sistemas/
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar <https://informatica.unau.edu.ar>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-29 Thread Daniel Armando Rodriguez via bind-users 


El 29/6/23 a las 09:40, Anand Buddhdev escribió:

On 29/06/2023 14:13, Daniel Armando Rodriguez via bind-users wrote:

[snip]


Error is not the same as before, I see it know (fresh eyes maybe)

Jun 29 08:42:37 web kernel: [5679658.761672] audit: type=1400 
audit(1688038957.685:548): apparmor="DENIED" operation="mknod" 
profile="named" name="/etc/bind/zonas/db.unau.edu.ar.jbk" pid=1350974 
comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=107 
ouid=107


[snip]


So, shouldn't that write attempt happen in /var/cache/bind?


When BIND signs a zone, it keeps a copy of the signed zone next to the 
original zone file, by creating a .signed file. Along with that it 
also creates a couple of other files, for journaling and keeping state.


In your case, BIND will try to create those in /etc/bind/zonas, and 
apparmor is denying it.


Move your zone files into /var/cache/bind, which is a better place to 
keep zone files, and not /etc/bind (this should be for BIND's 
configuration, not for zone files).


Regards,
Anand


Indeed, after doing that stop complaining :-)





*Daniel A. Rodriguez*
/Informática, Conectividad y Sistemas/
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar <https://informatica.unau.edu.ar>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-29 Thread Daniel Armando Rodriguez via bind-users 

And you were right...

Since the zone was not being signed, I enabled the logs for dnssec, and 
found this error message:


dnssec: zone unau.edu.ar/IN (signed): zone_rekey:dns_dnssec_keymgr 
failed: error occurred writing key to disk
dnssec: zone unau.edu.ar/IN (signed): zone_rekey failure: error occurred 
writing key to disk (retry in 600 seconds)


So, to bypass it had to change permissions of my /var/cache/bind/keys 
directory to rwxrwxr-- (774) and all the files therein to rw-rw-r-- (664).



One step closer, thanks to all :-). Best regards



El 29/6/23 a las 03:16, Matthijs Mekking escribió:

I suspect permissions on the key-directory are not yet correct:

    key-directory "/var/cache/bind/keys";

On 6/28/23 22:35, Daniel Armando Rodriguez via bind-users wrote:

However, as soon as I added this

    dnssec-policy "default";
    inline-signing yes;

Error came up again :-(

--

*Daniel A. Rodriguez*
/Informática, Conectividad y Sistemas/
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar <https://informatica.unau.edu.ar>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master file permission denied

2023-06-30 Thread Daniel Armando Rodriguez via bind-users 

Hi,

Thanks for pointing that out.
As mentioned before, prior to this dnssec everything was working fine. 
Maybe not in the way it should, but working at last. Now I'm dealing 
with the slave misbeheving. So, as soon as I could reach harmony will 
take care of the permissions.





El 2023-06-30 00:51, Hika van den Hoven escribió:

Hoi Daniel,

How about setting ownership correctly. I see a mix of ownerships and
to my knowledge it should all be owned by bind.bind. Not root.bind or
root.root or bind.root. And then you can reset permissions on the
files back to 644 or 640. For the directories it should be 755 or 750.
(As to linux a directory is a file the x is needed to parse(execute)
it.)
Thus giving the bind user and only the bind user (and root) exclusive
write access.
Whether you want them world readable is a matter of preference, I
don't think it is needed. Any user needing read access should be made
member of the bind group.

Thursday, June 29, 2023, 11:48:37 PM, you wrote:


 And you were right...



Since the zone was not being signed, I enabled the logs for
dnssec, and found this error message:

  dnssec: zone unau.edu.ar/IN (signed):
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key  
to disk

 dnssec: zone unau.edu.ar/IN (signed): zone_rekey failure:
error occurred writing key to disk (retry in 600 seconds)

   So, to bypass it had to change permissions of my
/var/cache/bind/keys directory to rwxrwxr-- (774) and all the   
files therein to rw-rw-r-- (664).








One step closer, thanks to all :-). Best regards












El 29/6/23 a las 03:16, Matthijs   Mekking escribió:

I suspect   permissions on the key-directory are not yet correct:

       key-directory "/var/cache/bind/keys";

   On 6/28/23 22:35, Daniel Armando Rodriguez via bind-users 
wrote:


However, as soon as I added this

     dnssec-policy "default";
     inline-signing yes;

 Error came up again :-(








Tot mails,
 bind userlist  mailto:bind-users@lists.isc.org

"Zonder hoop kun je niet leven
Zonder leven is er geen hoop
Het eeuwige dilemma
Zeker als je hoop moet vernietigen om te kunnen overleven!"

De lerende Mens
--


--


 Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multisite deployment issue

2021-08-02 Thread Daniel Armando Rodriguez via bind-users 
Was wondering If would be possible to setup a forwarding scheme just for 
some subdomains, I emphasize the fact that master is publicly accesible 
and current need is to locally resolv a bunch of subdomains of the same 
zone. I think image attached in previuos message is pretty explanatory, 
but currently my setup doen not work as (I) expected.



I attach a picture to best describe where I'm standed at.

https://i.postimg.cc/x8PKnz53/ejemplo-com.png

Currently disabled the SH setup to let just an authoritative DNS for
local resolution. Following the example, any request made from PC1 to
sys4/sys5/sys6 have no issues. However, if such host makes a request
to sys1/sys2/sys2 just get a time out response.
Any other query to outside, let's say google.com or whatever, works 
just fine.


El lun, 26 jul 2021 a las 13:29, Sten Carlsen (>) 
escribió:


Hi

I am running just that setup.

This may not scale well enough for your needs.

I have one server with two views, one internal and one external.

The external view is the hidden master for a number of public servers. 
All going through the relevant delegations. This is only 
authoritative.


The internal view is selected by the client address and master files 
for the same domain but with my internal addresses. This is recursing 
and will answer from the master files for those domains and will 
recurse for any other query.


This has served me well and e.g. I get the internal address for the 
mail server if I query from an internal address and I get the public 
address if I query from an external address.


This setup means that mail clients will make a lookup of the same name 
always and if at home get the internal address and if outside get the 
public address.


There is often a recommendation to use different domains, e.g. 
xxx.example.com for public addresses and xxx.internal.example.com for 
the same servers internal addresses. This is not very useful since 
e.g. a mail client would have to know about two different server names 
- with split horizon I can use the same name always.


--
Best regards
Sten Carlsen

A pessimist is a person that can find a problem for every solution.


On 26 Jul 2021, at 15.55, Daniel A. Rodriguez 
> wrote:


Hi there,

Currently have a public DNS up & runnin' but, due to brand new
location, there's a need to add local resolution.

With that in mind, first idea was to deploy a split horizon setup.
Sadly just local resolution works so far. Double check config but
currently I'm stuck with this situation.

Was wondering if having the same zone both public and private, but
with different records, could be an issue. Master for the zone is
public, of course, and the private one -as mentioned- has a different
set of records just for lan hosts. Idea was to go out just when a
query for a public subdomain is requested, but that desn't seem to
work.

Both forwarders option and recursion are enabled.

Any hint will be much appreciated.






___
Daniel A. Rodriguez
Informática, Conectividad y Sistemas
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
www.unau.edu.ar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multisite deployment issue

2021-08-02 Thread Daniel Armando Rodriguez via bind-users 

For testing purposes just added a zone as follows

zone "www.dominio.edu.ar"  {
   type forward;
   forward only;
   forwarders { XXX.XXX.XXX.XXX; };
};

and this is what I've got

root@nssv:~# dig www.dominio.edu.ar

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> www.dominio.edu.ar
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40661
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f60b7a2ec47397c2062ec9cb610857290d2614d7782ddcae (good)
;; QUESTION SECTION:
;www.dominio.edu.ar.IN  A

;; AUTHORITY SECTION:
dominio.edu.ar.		86400	IN	SOA	nssv.dominio.edu.ar. 
informatica.dominio.edu.ar. 2021072001 28800 7200 2419200 86400


;; Query time: 0 msec
;; SERVER: 192.168.8.17#53(192.168.8.17)
;; WHEN: lun ago 02 17:35:53 -03 2021
;; MSG SIZE  rcvd: 125

But, If I make an explicit request to the public server the answer is 
the right one


root@nssv:~# dig www.dominio.edu.ar @XXX.XXX.XXX.XXX

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> www.dominio.edu.ar 
@XXX.XXX.XXX.XXX

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b0109e795ed8a84632e9bcf26108575a20463923d764104e (good)
;; QUESTION SECTION:
;www.dominio.edu.ar.IN  A

;; ANSWER SECTION:
www.dominio.edu.ar. 3600IN  A   XXX.XXX.XXX.XXX

;; AUTHORITY SECTION:
dominio.edu.ar. 3600IN  NS  ns1.dominio.edu.ar.
dominio.edu.ar. 3600IN  NS  ns2.dominio.edu.ar.

;; ADDITIONAL SECTION:
ns1.dominio.edu.ar. 3600IN  A   XXX.XXX.XXX.XXX
ns2.dominio.edu.ar. 3600IN  A   XXX.XXX.XXX.XXY

;; Query time: 33 msec
;; SERVER: XXX.XXX.XXX.XXX#53(XXX.XXX.XXX.XXX)
;; WHEN: lun ago 02 17:36:42 -03 2021
;; MSG SIZE  rcvd: 156


El 2021-08-02 17:06, Daniel Armando Rodriguez via bind-users escribió:

Was wondering If would be possible to setup a forwarding scheme just
for some subdomains, I emphasize the fact that master is publicly
accesible and current need is to locally resolv a bunch of subdomains
of the same zone. I think image attached in previuos message is pretty
explanatory, but currently my setup doen not work as (I) expected.


I attach a picture to best describe where I'm standed at.

https://i.postimg.cc/x8PKnz53/ejemplo-com.png

Currently disabled the SH setup to let just an authoritative DNS for
local resolution. Following the example, any request made from PC1 to
sys4/sys5/sys6 have no issues. However, if such host makes a request
to sys1/sys2/sys2 just get a time out response.
Any other query to outside, let's say google.com or whatever, works 
just fine.


El lun, 26 jul 2021 a las 13:29, Sten Carlsen (>) escribió:


Hi

I am running just that setup.

This may not scale well enough for your needs.

I have one server with two views, one internal and one external.

The external view is the hidden master for a number of public 
servers. All going through the relevant delegations. This is only 
authoritative.


The internal view is selected by the client address and master files 
for the same domain but with my internal addresses. This is recursing 
and will answer from the master files for those domains and will 
recurse for any other query.


This has served me well and e.g. I get the internal address for the 
mail server if I query from an internal address and I get the public 
address if I query from an external address.


This setup means that mail clients will make a lookup of the same 
name always and if at home get the internal address and if outside 
get the public address.


There is often a recommendation to use different domains, e.g. 
xxx.example.com for public addresses and xxx.internal.example.com for 
the same servers internal addresses. This is not very useful since 
e.g. a mail client would have to know about two different server 
names - with split horizon I can use the same name always.


--
Best regards
Sten Carlsen

A pessimist is a person that can find a problem for every solution.


On 26 Jul 2021, at 15.55, Daniel A. Rodriguez 
> wrote:


Hi there,

Currently have a public DNS up & runnin' but, due to brand new
location, there's a need to add local resolution.

With that in mind, first idea was to deploy a split horizon setup.
Sadly just local resolution works so far. Double check config but
currently I'm stuck with this situation.

Was wondering if having the same zone both public and private, but
with different records, could be an issue. Master for the zone is
public, of course, and the private one -as mentioned- has a different
set of records just for lan hosts. Idea was to go out just