AppArmor, DHCP, Bind9 issue [SOLVED]

Petr Menšík pemensik at
Fri Oct 2 07:53:13 UTC 2020

Hello Olivier,

On 10/1/20 5:27 PM, Olivier wrote:
> Hello,
> Thank you all for replying !
> Thanks to your suggestions, creating an /etc/bind/subdir directory, and
> tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update
> Bind9 entries.
It depends, whether zone data are considered data (and belong to
/var/lib/bind instead), or configuration. When it is updated by named, I
think it is data. And you should just make symlink to /var/lib/bind or
its subdirectory. It is already prepared for that.

Or just use full paths to /var/lib/bind in zone definitions.
> 1. I'm hesitant to file a bug on Debian about this.  As this both involves
> Bind9 and AppArmor, would you say it deserves to be implemented and
> documented in default Bind9 installation or that it is too specific for
> this ?
I doubt it. It is documented in /usr/share/doc/bind9/README.Debian,
where should it belong. It clearly states any zone with dynamic updates
should belong to /var/lib/bind.

Of course you can customize it, but then also AppArmor has to be adjusted.
> 2. If it deserves to to be implemented, how would you name this
> /etc/bind/subdir directory ?
> I personally used "/etc/bind/ddns-zones" but surely there exist
> alternatives that better describe the purpose of this directory (hosting
> config that bind9 needs to rewrite) such as :
> writable_conf
> rw_conf
> rwconf
(cd /etc/bind && ln -s ../../var/lib/bind ddns-zones)
should be enough.
> Detailed steps I followed on Debian Buster to work around the issue were:
> mkdir /etc/bind/ddns-zones
> chown root:bind /etc/bind/ddns-zones
> # I don't know if plain  775 better fits. Comments welcome
> chmod 2775 /etc/bind/ddns-zones
> Adding into /etc/apparmor.d/usr.sbin.named, a line:
> /etc/bind/ddns-zones/** rw,
> before line
> /etc/bind/** r,
> Best regards
> _______________________________________________
> Please visit to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at for more information.
> bind-users mailing list
> bind-users at

Petr Menšík
Software Engineer
Red Hat,
email: pemensik at
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list