Server guide gives wrong examples for bind9 (was: DDNS dynamic file creation permission denied)

Thanks for reporting this bug.

Actually I'm not quite sure why it would have tried to create that file.

Can you tell us which release you are on, and post your /etc/bind/named.conf and /etc/bind/named.conf.local files?

(We don't want to risk opening permissions for what turns out to be a bug in bind9 itself)

Create file because updating zonefile from dhcpd

====================================================================
root@intra:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

include "/etc/bind/ddns.key";

zone "example.com" {
 type master;
 file "/etc/bind/db.example.com";
        allow-update { key "DHCP_UPDATER"; };
};

zone "1.10.in-addr.arpa" {
 type master;
 file "/etc/bind/db.1.10";
 allow-update { key "DHCP_UPDATER"; };
};

====================================================================
root@intra:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

root@intra:/etc/bind# apt-cache policy bind9
bind9:
  Installiert: 1:9.8.1.dfsg.P1-4
  Kandidat: 1:9.8.1.dfsg.P1-4
  Versionstabelle:
 *** 1:9.8.1.dfsg.P1-4 0
        500 http://de.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status

Thanks for the info, Axel.

I was at first wondering whether the 'file' should point to another location to which bind9 already has write access, but the file locations you are using match what is in the server guide (https://help.ubuntu.com/12.04/serverguide/dns-configuration.html).

Marking this confirmed. Thanks again.

Hm, then again, the apparmor policy file says:

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz

Does this mean that the server guide should be updated?

So - IIUC either the server guide or the apparmor policy needs to be updated.

The server guide is wrong-- the bind9 packaging has specified /var/lib/bind for journal files and DDNS for a long time. From README.Debian:
"Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be stored in /var/lib/bind, and specified with full pathnames."

This path was added to the apparmor profile in Ubuntu 8.04 LTS and was added to the package during the 8.04 LTS development cycle:
bind9 (1:9.4.2-2) unstable; urgency=low
...
  * bind9: deliver /var/lib/bind directory, and document.
    Closes: #248771, #200253, #202981, #209022

This separation is by design so that named does not have write access to /etc/bind/* such that a flaw in bind9 doesn't result in writes to authoritative zone data (which is found in /etc/bind). I suggest the server guide documentation be updated to use the paths as specified in the package. In the meantime, people can update /etc/apparmor.d/local/usr.bin.named to add write access to /etc/bind if they desire (or adjust their configuration).

Additionaly for a workaround you have to change permissions for /etc/bind. user bind need wirte access
chmod 775 /etc/bind