<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Before I start describing the problem, I should mention that this incident started when I tried to enable DNSSEC. I understand that it is unrelated, but previously everything was working correctly.</p>
<p><br /></p>
<p>I'm using Debian 11 and Bind 9.18 from backports</p>
<div> </div>
<div>This is current config</div>
<div> </div>
<div># named-checkconf -px<br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">options {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> directory "/var/cache/bind/";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> listen-on {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 127.0.0.1/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.130/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> listen-on-v6 {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 2800:110:44:6260::130/128;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> querylog yes;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> transfers-in 20;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> transfers-per-ns 20;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> version "Info not currently available";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-recursion {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> "localhost";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> ::1/128;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.0.0/16;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 2800:110:44:6260::/64;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> auth-nxdomain no;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> recursion yes;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-query {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> "any";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-transfer {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> "none";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> key-directory "/var/cache/bind/keys";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> masterfile-format text;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">statistics-channels {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> inet 127.0.0.1 port 8053 allow {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 127.0.0.1/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "10.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "16.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "17.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "18.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "19.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "20.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "21.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "22.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "23.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "24.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "25.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "26.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "27.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "28.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "29.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "30.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "31.172.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "168.192.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.empty";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "unau.edu.ar" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type primary;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/zonas/db.unau.edu.ar";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-query {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> "any";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-transfer {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-update {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> "none";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> also-notify {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> serial-update-method increment;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "133.45.210.170.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type primary;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-transfer {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> also-notify {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type primary;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> allow-transfer {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131/32;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> also-notify {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> 170.210.45.131;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> };</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "." {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type hint;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/usr/share/dns/root.hints";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "localhost" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.local";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "127.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.127";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "0.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.0";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone "255.in-addr.arpa" {</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> type master;</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;"> file "/etc/bind/db.255";</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">};</span></div>
<div> </div>
<div> </div>
<div>File permissions</div>
<div> </div>
<div># ls -alh /etc/bind</div>
<div><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 2,4K feb 26 06:27 bind.keys</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 255 feb 26 06:27 db.0</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 271 jun 30 2017 db.127</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 237 jun 30 2017 db.255</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 353 jun 30 2017 db.empty</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 270 jun 30 2017 db.local</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 3,1K may 3 2019 db.root</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root bind 458 feb 26 06:27 named.conf</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 1,2K jun 28 15:06 named.conf.local</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 2,8K jun 27 17:44 named.conf.options</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r----- 1 bind bind 144 may 17 13:51 rndc.key</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">drw-r-S--- 2 bind bind 4,0K jun 28 14:55 zonas</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rw-r--r-- 1 root root 1,3K jun 30 2017 zones.rfc1918</span></div>
<div> </div>
<div># ls -alh /etc/bind/zonas/<br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rwxr-xr-- 1 bind bind 323 ene 16 10:59 133.45.210.170.in-addr.arpa</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rwxr-xr-- 1 bind bind 394 ene 16 10:58 3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">-rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar</span></div>
<div> </div>
<div>Error messages</div>
<div> </div>
<div><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone unau.edu.ar/IN: loading from master file /etc/bind/zonas/db.unau.edu.ar failed: permission denied</span></div>
<div><span style="font-family: 'courier new', courier, monospace; font-size: 8pt;">zone unau.edu.ar/IN: not loaded due to errors.</span></div>
<div> </div>
<div>Named is running as bind user</div>
<div>
<p><br /></p>
<p><br /></p>
<p>I would be grateful for any enlightening ideas.</p>
<p><br /></p>
</div>
<div id="signature"><br />
<div dir="ltr">________________________________________________<br />
<table>
<tbody>
<tr>
<td><img src="https://correo.unau.edu.ar/skins/elastic/images/logo.svg" width="73" height="96" /></td>
<td><strong>Daniel A. Rodriguez</strong><br /><em>Informática, Conectividad y Sistemas</em><br />Universidad Nacional del Alto Uruguay<br />San Vicente - Misiones - Argentina<br /><a href="https://informatica.unau.edu.ar" rel="noopener">informatica.unau.edu.ar</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</body></html>