Ubuntu
bind9 package

rndc addzone isn't working. fix available

Bug #1247148 reported by Pavel Piatruk on 2013-11-01

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	bind9 (Ubuntu)	Confirmed	High	Unassigned

Bug Description

OS: Ubuntu 12.04,

Bind package:
ii bind9 1:9.8.1.dfsg.P1-4ubuntu0.7 Internet Domain Name Server

Bind folder:
drwxr-s--- 3 bind bind 4096 Nov 1 20:46 /etc/bind

* Steps to reproduce the issue

rndc -s localhost addzone 'zzz.com { type master; file "/etc/bind/master/zzz.com"; };'
rndc: 'addzone' failed: permission denied

* Steps to fix
Edit /etc/init.d/bind9 , add "-d /etc/bind" to start-stop-daemon in start) section

* Explanation
Named tries to store *.nzf (zones created by rndc zoneadd) in a directory from where it started. By default it is not /etc/bind

Yolanda Robla (yolanda.robla) on 2013-11-11

Changed in bind9 (Ubuntu):
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Charles Peters II (cp) wrote on 2013-11-11:

#1

snippet of /etc/apparmor.d/usr.sbin.named
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

Pavel's proposed solution could cause other issues with apparmor. Furthermore Pavel should place the zone files in /var/lib/bind/.

$ ls -ld /var/lib/bind/master/
drwxrws--- 3 root bind 4096 Jun 30 23:08 /var/lib/bind/master/

A directory from a hidden master containing one of my DNSSEC enabled zones, a zone which is configured to automatically rotate the ZSK or zone signing key:
$ sudo ls -la /var/lib/bind/master/tuxedo.net
total 104
drwxrws--- 2 bind bind 4096 Nov 8 18:03 .
drwxrws--- 3 root bind 4096 Jun 30 23:08 ..
-rw-r--r-- 1 root bind 1858 Sep 24 18:51 tuxedo.net.hosts
-rw-r--r-- 1 bind bind 512 Sep 24 18:51 tuxedo.net.hosts.jbk
-rw-r--r-- 1 bind bind 7509 Nov 8 18:03 tuxedo.net.hosts.signed
-rw-r--r-- 1 bind bind 76419 Nov 8 17:48 tuxedo.net.hosts.signed.jnl

Revision history for this message

Pavel Piatruk (piatruk-p) wrote on 2013-11-11:

#2

Charles,
I don't have Apparmor on this server. Yes, after changing init script from
-d /etc/bind
to
-d /var/lib/bind
Bind is still working, dynamic zones are created and served. It seems NZF files can only be created in Bind's Currently Working Directory.

Revision history for this message

Charles Peters II (cp) wrote on 2013-11-11:

#3

Perhaps a better approach would be to modify /etc/default/bind9.

$ cat /etc/default/bind9
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind"

Revision history for this message

Pavel Piatruk (piatruk-p) wrote on 2013-12-13:

#4

This will not work because $OPTIONS is passed to named , while I have altered arguements of start-stop-daemon

Revision history for this message

Adrien Cunin (adri2000) wrote on 2014-04-18:

#5

Can you reproduce this on saucy or trusty?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.