Strictly separate directories for admin-provided and named-generated files?

Fri Nov 15 15:47:11 UTC 2024

Hi bind-users,

As I was configuring DNSSEC for a domain, I ran into a conflict
between the AppArmor profile in the bind9 Debian package, and what I
understand to be the default / recommended file layout (the same issue
as [1]). The proposed solution in [1] is to put admin-provided (i.e.
zone files) in /var/lib/named -- but strikes me as inconsistent with
the FHS. [2]

Is there a way to configure named to place generated files (e.g.
signed zones) in a separate directory from the admin-provided files
(unsigned zones?) I know of the `journal` option [3] for the journal
file specifically; but I don't seem to see an equivalent for the
`.signed` zonefile.

I know, the FHS is not law; putting admin-provided files in /var/lib,
or tweaking the AppArmor profile and allowing named to drop files in
/etc/bind, would work. But putting the human's stuff in /etc and the
computer's stuff in /var will save me some confusion the next time I
have to debug something.

I'm also down for other workarounds, if you have suggestions!

Thanks,
Charles

[1]: https://lists.isc.org/mailman/htdig/bind-users/2020-September/103706.html
[2]: https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html :
"Users must never need to modify files in /var/lib to configure a
package's operation.. "
[3]: https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-journal

---

Logs and references, for discoverability & in case I missed something:

On my Debian system (package version `1:9.18.28-1~deb12u2`), I
configured a zone as follows:

```
zone "cceckman.com" {
    type primary;
    file "/etc/bind/primary/auxiliary.db";
    # (transfer, notify, etc. elided)
    dnssec-policy default;
    inline-signing true;
}
```

After a config reload, named started reporting the following errors:

```
Nov 15 15:16:49 pvm named[79928]:
/etc/bind/primary/auxiliary.db.signed.jnl: create: permission denied
...
Nov 15 15:25:00 pvm named[79928]: dumping master file:
/etc/bind/primary/tmp-SDhgprtsTr: open: permission denied
```

The Unix permissions were fine, but `dmesg` reported AppArmor violations:

```
[244861.365912] audit: type=1400 audit(1731682609.128:204):
apparmor="DENIED" operation="mknod" profile="named"
name="/etc/bind/primary/auxiliary.db.signed.jnl" pid=79928
comm="isc-net-0000" requested_mask="c" denied_mask="c" fsuid=104
ouid=104
[245026.362333] audit: type=1400 audit(1731682774.128:205):
apparmor="DENIED" operation="mknod" profile="named"
name="/etc/bind/primary/tmp-8s5lo8MBd2" pid=79928 comm="isc-net-0000"
requested_mask="c" denied_mask="c" fsuid=104 ouid=104
```

>From this, I found [1].