Authoritative and caching

Sun Mar 16 10:07:46 UTC 2025

On 15-Mar-25 18:16, Lee wrote:
> On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users
> <bind-users at lists.isc.org> wrote:
>> Apparmor was also mentioned, I have no experience with that, and have not changed it in any way (to my knowledge)...
> On my machine,
>
> $ journalctl -l | grep apparmor | grep bind |more
>
> shows many lines like
>
> Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED"
> operation="mknod" profile="named" name="/etc/bind/db.10.10.2.jbk"
> pid=922 comm="isc-net-0002" requested_mask="c" denied_mask="c"
> fsuid=116 ouid=116
> Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED"
> operation="mknod" profile="named" name="/etc/bind/db.home.net.jbk"
> pid=922 comm="isc-net-0003" requested_mask="c" denied_mask="c"
> fsuid=116 ouid=116
>
> /etc/apparmor.d/usr.sbin.named on my machine has
>
>    # /etc/bind should be read-only for bind
>
> and I'm clearly violating that assumption :(
> Rather than fix my bind config I fixed the apparmor config.  If you go
> that way remember to do
>
>    /etc/init.d/apparmor restart
>
> to have the new apparmor rules take effect.
>
> Regards,
> Lee

I deal with selinux rather than apparmor, but the principles and 
pitfalls are the same.

In the long run it's likely to be better to find a suitable 
named-writable directory for your zone files.  Or if your distribution 
doesn't provide one, file a bug report.

With local policy patches, sooner or later an 
upgrade/update/configuration (or staff) change will cause an issue.  By 
Murphy's law, at the most inconvenient time.

Treating zone file directories as read-only on "master" ("primary") 
servers was a reasonable when most zone files were manually edited.  
With UPDATE, and now more important, DNSSEC signing this isn't (and 
shouldn't be) nearly as common.  The advice to put these files in /etc 
is out-of-date.

Any distribution that doesn't provide a security policy and directory 
layout for these configurations is behind the times.  So after checking 
their documentation, file a bug report with them.

However, I'd be surprised if apparmor doesn't provide a suitable 
directory, since slaves' / secondaries' zone files are always 
writable...so it may simply be a documentation/default configuration issue.

Note that /etc/bind usually also contains the configurations files 
(named.conf, named.conf.d, etc).  And those SHOULD be read-only for 
named.  So making all of /etc/bind read-write defeats some of the 
apparmor/selinux protection.

A typical writable location for zone files is /var/named.  (Under 
selinux, zone files are labeled, and whether they can be written is a 
configuration switch.  There should be an apparmor equivalent... )

ISC gave some webinars on "BIND 9 Security" a couple of years ago. 
https://www.isc.org/blogs/bind-security-webinar-series-2021/ .  There's 
a recording of the one on apparmor that may be helpful.  (I haven't 
watched it, but the ISC webinars are usually well done.)

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250316/5e423f3d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250316/5e423f3d/attachment.sig>