Authoritative and caching

Danjel Jungersen danjel at jungersen.dk
Sat Mar 15 16:31:48 UTC 2025 

I'm so sorry, but I have to trouble you guys again.

The help below helped, I have no errors from checkconf or checkzone, but 
from journalctl I get:
/etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
and
/etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied

and some more, but I think these 2 are the causes.

But if I try:
root at ns1:/etc/bind/zones# ps auxw|grep named
bind       57446  0.1  1.2 147948 48140 ?        Ssl  17:12   0:01 
/usr/sbin/named -f -4 -u bind
root       57472  0.0  0.0   6332  2036 pts/1    S+   17:21   0:00 grep 
named

It look to me like the user is "bind"

I also have:
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones

I have added write permission for the bind group.

I have also tried to change owner to bind, same result.

I have .key .private and .state files is /var/cache/bind

What does these errors mean?
I assume that the files that it tries to write are supposed to be written(?)

And why is it rejected?

BR
Danjel

On 12-03-2025 23:49, Mark Andrews wrote:
> I shouldn’t have tried to write that on the phone from memory.
>
> dnssec-policy “unlimited” {
> 	keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> zone "jungersen.dk” {
>          type master;
>          file "/etc/bind/zones/db.jungersen.dk”;
>          allow-transfer { 192.168.20.11; };
>          dnssec-policy "unlimited";
> };
>
> Mark
>
>> On 13 Mar 2025, at 09:13, Danjel Jungersen<danjel at jungersen.dk> wrote:
>>
>> On 20-02-2025 08:40, Mark Andrews wrote:
>>>> The zone is available publicly, but from public serveres not hosted by me (one.com).
>>>> And points to my external ip.
>>>> My internal bind redirects local traffic directly to local servers on local ip's.
>>> DNSSEC is designed to stop spoofed answers being accepted.  When you create a local zone that overrides what is in the public zones you are effectively spoofing answers.  As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:
>>>
>>> 1) create a working chain of trust that links to your private zone content
>>> Long 1 is the best long term solution....
>> So this is the way I will try to go.
>>> You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>>>
>>> jungersen.dk. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>>>
>>> I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.  This will add a DNSKEY record to the zone and cause it to be signed.  You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.
>>>
>>> You will need to do some reading first. Others here can give you more advice.
>>>
>> I have now read a lot, and I think that actually understood some of it.
>>
>> I have:
>> zone "jungersen.dk" {
>>          type master;
>>          file "/etc/bind/zones/db.jungersen.dk";
>>          allow-transfer { 192.168.20.11; };
>>          dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
>> };
>>
>> in named.conf.local
>>
>> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>>
>> Line 15 is the dnssec-policy line.
>>
>> If I uncomment this line all is well.
>>
>> Can anyone tell me what is wrong with this line?
>> I have copy pasted it from the suggestion, and have read some online, to me it looks good.
>>
>> ????
>>
>> BR
>> Danjel
>>
-- 
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: danjel at jungersen.dk
Mobile: +45 20 42 20 11

Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00

WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK 
<https://www.jungersen.dk>

Logo <https://www.jungersen.dk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250315/701fd6d3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_m_reg_125.png
Type: image/png
Size: 24506 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250315/701fd6d3/attachment-0001.png>

More information about the bind-users mailing list