location for master file dump

André Rodier andre at rodier.me
Sun May 27 08:13:30 UTC 2018 

On Sat, 2018-05-26 at 22:45 +0100, André Rodier via bind-users wrote:
> On 2018-05-26 22:16, Anand Buddhdev wrote:
> > On 26/05/2018 19:47, André Rodier via bind-users wrote:
> > 
> > Hi André
> > 
> > > I need to precise, I have also added this option 
> > > in named.conf.options:
> > > 
> > > directory "/var/cache/bind";
> > > 
> > > And bind is creating the journal files inside:
> > > 
> > > -rw-r--r-- 1 bind bind 1.4K May 26 18:36 managed-keys.bind
> > > -rw-r--r-- 1 bind bind  512 May 26 18:36 managed-keys.bind.jnl
> > > 
> > > However, when started, bind is apparently trying to write in /etc/bind 
> > > anyway:
> > > 
> > > > May 26 18:36:01 homebox named[1298]: managed-keys-zone: journal file 
> > > > is out of date: removing journal file
> > > > May 26 18:36:01 homebox named[1298]: managed-keys-zone: loaded serial 
> > > > 2
> > > > May 26 18:36:01 homebox named[1298]: zone 0.in-addr.arpa/IN: loaded 
> > > > serial 1
> > > > May 26 18:36:01 homebox named[1298]: zone auto.in-addr.arpa/IN: 
> > > > loaded serial 1527352056
> > > > May 26 18:36:01 homebox named[1298]: zone 127.in-addr.arpa/IN: loaded 
> > > > serial 1
> > > > May 26 18:36:01 homebox named[1298]: zone 255.in-addr.arpa/IN: loaded 
> > > > serial 1
> > > > May 26 18:36:01 homebox named[1298]: zone localhost/IN: loaded serial 
> > > > 2
> > > > May 26 18:36:01 homebox named[1298]: zone homebox.space/IN 
> > > > (unsigned): loaded serial 1527352055
> > > > May 26 18:36:01 homebox named[1298]: all zones loaded
> > > > May 26 18:36:01 homebox named[1298]: running
> > > > May 26 18:36:01 homebox named[1298]: zone homebox.space/IN (signed): 
> > > > loaded serial 1527352055
> > > > May 26 18:36:01 homebox named[1298]: zone auto.in-addr.arpa/IN: 
> > > > sending notifies (serial 1527352056)
> > > > May 26 18:36:01 homebox named[1298]: 
> > > > /etc/bind/forward.homebox.space.jbk: create: permission denied
> > 
> > You've told BIND to load zones from /etc/bind, so it will try to create
> > the journal files in the same directory, despite the "directory" 
> > option.
> > 
> > You'll need to move your zones into /var/cache/bind, or a subdirectory
> > thereof.
> > 
> > Regards,
> > Anand
> 
> Thank you, Anand,
> 
> It is something I am reluctant to do, I have already started to explore 
> other servers.
> 
> Kind regards,
> André

Hello again, Anand and everyone.

Thanks for your help, sorry for the answer yesterday, I was pretty
upset by this limitation.

In the end, I finally used /var/cache/bind as the directory for bind9,
and I do not have the error from AppArmor any more. Also, I did not
want to loose the time I invested in the configuration.

However, I kept my domain definition file in /etc/bind, with read only
permissions, and used a symbolic link in /var/cache/bind. This is the
safest way I found to keep apart configuration and dynamic data.

However, PowerDNS seems a good server I am willing to explore the
option.

Kind regards,
André
-- 
HomeBox: https://github.com/progmaticltd/homebox

More information about the bind-users mailing list