meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:sw:named [2021/05/16 15:25] niziaklinux:sw:named [2021/05/16 15:56] (current) niziak
Line 19: Line 19:
 ... ...
 </file> </file>
 +
 +Test update:
 +<code bash>
 +nsupdate
 +zone int.example.com
 +update add kupa.int.example.com. 300 A 1.2.3.4
 +show
 +send
 +</code>
  
 ==== Issue: error: journal open failed ==== ==== Issue: error: journal open failed ====
Line 29: Line 38:
 kernel: audit: type=1400 audit(1621169400.739:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106 kernel: audit: type=1400 audit(1621169400.739:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106
 </code> </code>
 +
 +  * Reason: by design app armor blocks modification of persistent cofnfig dir ''/etc''. It should be done inside ''/var/lib/bind''. In Debian, app armor is configured as:
 +    * /etc/bind should be read-only for bind
 +    * /var/lib/bind is for dynamically updated zone (and journal) files.
 +    * /var/cache/bind is for slave/stub data, since we're not the origin of it.
 +  * Solutions:
 +    * Create symbolic links (see [[https://wiki.debian.org/DDNS#DNS_Server_Configuration|DNS Server Configuration]]
 +    * modify app armor:
 +<file | /etc/apparmor.d/local/usr.sbin.named>
 +/etc/bind/zones/** rw,
 +</file>
 +
 +