<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8">Put the zone file in /var/lib/bind and update named.conf.<div><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 23 Sep 2020, at 00:43, Olivier <oza.4h07@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div>Hello,</div><div><br></div><div>I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) instance installed on a Debian Buster box.</div><div>Both come from Debian stable repo.</div><div><br></div><div>I would like my DHCP server to update Bind9 database when leases are allocated to DHCP clients.</div><div><br></div><div>I followed instructions from [1].</div><div>I then met the following error:</div><div>Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400
audit(1600697874.163:25): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107<br>Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: permission denied</div><div><br></div><div>I edited /etc/apparmor.d/usr.sbin.named and it now includes the following content:</div><div> ...<br></div><div> # /etc/bind should be read-only for bind<br> # /var/lib/bind is for dynamically updated zone (and journal) files.<br> # /var/cache/bind is for slave/stub data, since we're not the origin of it.<br> # See /usr/share/doc/bind9/README.Debian.gz</div><div> # Next line added to work around apparmor issue</div><div> /etc/bind/*.jnl rw,</div><div> # End of addition<br></div><div> /etc/bind/** r,<br> /var/lib/bind/** rw,<br> /var/lib/bind/ rw,<br> /var/cache/bind/** lrw,<br> /var/cache/bind/ rw, <br></div><div>...</div><div><br></div><div>Now, /var/log/syslog includes:</div><div>Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: signer "ddns_update" approved<br>Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone '<a href="http://bar.com/IN">bar.com/IN</a>': adding an RR at '<a href="http://acerok.bar.com">acerok.bar.com</a>' A 192.168.42.104<br>Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone '<a href="http://bar.com/IN">bar.com/IN</a>': adding an RR at '<a href="http://acerok.bar.com">acerok.bar.com</a>' TXT "0097d51fa2194acbea0809316da0885aa0"<br>Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: permission denied</div><div><br></div><div>ls -l /etc</div><div>drwxr-sr-x 2 root bind 4096 sept. 21 16:01 bind</div><div><br></div><div>ls -l /var/cache</div><div>drwxrwxr-x 2 root bind 4096 sept. 22 16:25 bind</div><div><br></div><div>ls -l /var/cache/bind</div><div>lrwxrwxrwx 1 root root 23 sept. 21 14:29 db.192.168.42 -> /etc/bind/db.192.168.42<br>lrwxrwxrwx 1 root root 29 sept. 21 14:28 <a href="http://db.bar.com">db.bar.com</a> -> /etc/bind/<a href="http://db.bar.com">db.bar.com</a><br>-rw-r--r-- 1 root root 0 sept. 21 16:36 db.bar.com.jnl</div><div>...<br></div><div><br></div><div>How can I solve this ?<br></div><div><br></div><div>[1] <a href="https://wiki.debian.org/DDNS" target="_blank">https://wiki.debian.org/DDNS</a></div><div><br></div><div>Best regards<br></div></div>
<span>_______________________________________________</span><br><span>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></div></body></html>