Authoritative and caching

Sat Mar 15 21:24:13 UTC 2025

Off-list I was asked.....

root at ns1:/etc/bind# ls -la
total 60
drwxr-sr-x  3 root bind 4096 Mar 15 16:31 .
drwxr-xr-x 71 root root 4096 Jan  6 08:40 ..
-rw-r--r--  1 root root 2403 Jul 27  2024 bind.keys
-rw-r--r--  1 root root  255 Jul 27  2024 db.0
-rw-r--r--  1 root root  271 Jul 27  2024 db.127
-rw-r--r--  1 root root  237 Jul 27  2024 db.255
-rw-r--r--  1 root root  353 Jul 27  2024 db.empty
-rw-r--r--  1 root root  270 Jul 27  2024 db.local
-rw-r--r--  1 root bind  458 Jul 27  2024 named.conf
-rw-r--r--  1 root bind  498 Jul 27  2024 named.conf.default-zones
-rw-r--r--  1 root bind  737 Mar 13 08:41 named.conf.local
-rw-r--r--  1 root bind  950 Jan 30 08:58 named.conf.options
-rw-r-----  1 bind bind  100 Jan  3 15:27 rndc.key
drwxrwsr-x  2 root bind 4096 Mar 15 16:54 zones
-rw-r--r--  1 root root 1317 Jul 27  2024 zones.rfc1918

root at ns1:/etc/bind/zones# ls -la
total 20
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 .
drwxr-sr-x 3 root bind 4096 Mar 15 16:31 ..
-rw-rw-r-- 1 root bind  445 Jan  5 17:58 db.192.168
-rw-rw-r-- 1 root bind  509 Jan  5 17:12 db.jg1.jungersen.dk
-rw-rw-r-- 1 root bind  681 Mar 15 16:54 db.jungersen.dk

I was also aksed about the setgid bit, I have no reason/explanation for it.
Nor do I have any special wishes, so if it is best practice to do it 
differently, I can change it.

Apparmor was also mentioned, I have no experience with that, and have 
not changed it in any way (to my knowledge)...

if I have opened up too much in my effort to make it work, please let me 
know, I wish to keep it as tight as possible.

:-)
Danjel

On 15-03-2025 17:31, Danjel Jungersen via bind-users wrote:
>
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf or checkzone, 
> but from journalctl I get:
> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
> and
> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
>
> and some more, but I think these 2 are the causes.
>
> But if I try:
> root at ns1:/etc/bind/zones# ps auxw|grep named
> bind       57446  0.1  1.2 147948 48140 ?        Ssl  17:12 0:01 
> /usr/sbin/named -f -4 -u bind
> root       57472  0.0  0.0   6332  2036 pts/1    S+   17:21 0:00 grep 
> named
>
> It look to me like the user is "bind"
>
> I also have:
> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones
>
> I have added write permission for the bind group.
>
> I have also tried to change owner to bind, same result.
>
> I have .key .private and .state files is /var/cache/bind
>
> What does these errors mean?
> I assume that the files that it tries to write are supposed to be 
> written(?)
>
> And why is it rejected?
>
> BR
> Danjel
>
> On 12-03-2025 23:49, Mark Andrews wrote:
>> I shouldn’t have tried to write that on the phone from memory.
>>
>> dnssec-policy “unlimited” {
>> 	keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
>> };
>>
>> zone "jungersen.dk” {
>>          type master;
>>          file "/etc/bind/zones/db.jungersen.dk”;
>>          allow-transfer { 192.168.20.11; };
>>          dnssec-policy "unlimited";
>> };
>>
>> Mark
>>
>>> On 13 Mar 2025, at 09:13, Danjel Jungersen<danjel at jungersen.dk> wrote:
>>>
>>> On 20-02-2025 08:40, Mark Andrews wrote:
>>>>> The zone is available publicly, but from public serveres not hosted by me (one.com).
>>>>> And points to my external ip.
>>>>> My internal bind redirects local traffic directly to local servers on local ip's.
>>>> DNSSEC is designed to stop spoofed answers being accepted.  When you create a local zone that overrides what is in the public zones you are effectively spoofing answers.  As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:
>>>>
>>>> 1) create a working chain of trust that links to your private zone content
>>>> Long 1 is the best long term solution....
>>> So this is the way I will try to go.
>>>> You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>>>>
>>>> jungersen.dk. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>>>>
>>>> I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.  This will add a DNSKEY record to the zone and cause it to be signed.  You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.
>>>>
>>>> You will need to do some reading first. Others here can give you more advice.
>>>>
>>> I have now read a lot, and I think that actually understood some of it.
>>>
>>> I have:
>>> zone "jungersen.dk" {
>>>          type master;
>>>          file "/etc/bind/zones/db.jungersen.dk";
>>>          allow-transfer { 192.168.20.11; };
>>>          dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
>>> };
>>>
>>> in named.conf.local
>>>
>>> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>>>
>>> Line 15 is the dnssec-policy line.
>>>
>>> If I uncomment this line all is well.
>>>
>>> Can anyone tell me what is wrong with this line?
>>> I have copy pasted it from the suggestion, and have read some online, to me it looks good.
>>>
>>> ????
>>>
>>> BR
>>> Danjel
>>>
> -- 
> Med venlig hilsen/Kind regards
> Danjel Jungersen
> Mail: danjel at jungersen.dk
> Mobile: +45 20 42 20 11
>
> Jungersen Grafisk ApS,
> Holsbjergvej 39, DK-2620 Albertslund,
> Denmark.
> Tel: +45 43 64 10 00
>
> WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK 
> <https://www.jungersen.dk>
>
> Logo <https://www.jungersen.dk>
>
-- 
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: danjel at jungersen.dk
Mobile: +45 20 42 20 11

Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00

WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK 
<https://www.jungersen.dk>

Logo <https://www.jungersen.dk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250315/a1c58bb9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_m_reg_125.png
Type: image/png
Size: 24506 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250315/a1c58bb9/attachment-0001.png>