Certbot rfc2136

Petr Menšík pemensik at redhat.com
Fri Nov 5 13:20:49 UTC 2021


I would use something under /var directory with data modified by daemons
itself. I think that place is more appropriate for zones signed by named
daemon.

We at Red Hat still use /var/named, where SELinux would allow named
changing data. I do not think named itself should modify data in /etc.
It depends on file layout used.

I think /var/lib/bind is more appropriate for primary zones data,
/var/cache/bind for slaves. I would place only static files not modified
by named to /etc/bind. At least our policy allows only similar approach.
I would not update AppArmor but move files managed by named to
appropriate directories instead. And update named.conf with full paths
to them if needed.

Cheers,
Petr

On 10/26/21 12:23, Paul van der Vlis wrote:
> Hi Mark, and others,
>
> Op 25-10-2021 om 23:58 schreef Mark Andrews:
>>
>>
>>> On 26 Oct 2021, at 08:02, Paul van der Vlis <paul at vandervlis.nl> wrote:
>>>
>>> Hello,
>>>
>>> I've made some progress..
>>>
>>> Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
>>> (...)
>>>> I've tried to specify the "key-directory" in the bind
>>>> configuration, but when I do that I get an error during "rndc
>>>> reload", so I cannot specify a key-directory.  This is Bind 9.16.15
>>>> from Debian 11.
>>>> What do I wrong?
>>>
>>> What I did wrong here, is putting this key-directory option into the
>>> bind configuration (/etc/bind/named.conf). The correct place is in
>>> the zone, so I did put it in the "rndc modzone" command. This works ;-)
>>
>> Well it can go in named.conf.  It needs to be in the options and/or
>> view and/or zone sections.  This is documented.
>
> OK..  Maybe it would work if I did put it in the options file.
>
>>> But now I have a next problem:
>>> ------
>>> Oct 25 22:27:53 ns1 kernel: [540901.362643] audit: type=1400
>>> audit(1635193673.521:12): apparmor="DENIED" operation="mknod"
>>> profile="named" name="/etc/bind/zones/hallo24.nl.signed.jnl" pid=343
>>> comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107
>>> ouid=107
>>> Oct 25 22:27:53 ns1 named[343]:
>>> /etc/bind/zones/hallo24.nl.signed.jnl: create: permission denied
>>> ------
>>>
>>> Hmm, maybe it's not a good idea that bind would change those static
>>> configfiles. What I would like, is that bind would change only
>>> temporary the database in /var/cache/bind/ . Would that be
>>> possible?  Or do you have a better idea?
>>
>> It’s not named’s job to update SELinux or AppArmour. I suspect we
>> would get complaints if we attempted to do that.  Changing security
>> policy is the job of the operator.
>
> I know how to configure apparmor, my question is not about that.
>
> My question is about what is a good way to implement rfc2136 in Bind.
>
> I guess it's not a good idea that Bind really changes the zone-files
> in /etc/bind using rfc2136 because /etc is for static configuration
> data. But maybe I am wrong.
>
> Is it the way to go to update Apparmor to make Bind write in /etc/bind
> , or is there a better way?
>
> With regards,
> Paul van der Vlis.
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB



More information about the bind-users mailing list