<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sat, Mar 15, 2025 at 12:32 PM Danjel Jungersen via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>I'm so sorry, but I have to trouble you guys again.</p>
<p>The help below helped, I have no errors from checkconf or
checkzone, but from journalctl I get:<br>
/etc/bind/zones/db.jungersen.dk.jbk: create: permission denied<br>
and<br>
/etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission
denied</p>
<p>and some more, but I think these 2 are the causes.</p></div></blockquote><div><br></div><div>Maybe an apparmor problem?<br></div><div>I had to add write permissions to /etc/bind before bind would work for me<br></div><div>... which was probably my mis-configuration, but still.<br><br></div><div>file to be modified: /etc/apparmor.d/usr.sbin.named<br><br></div><div>Regards<br></div><div>Lee<br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>But if I try:<br>
root@ns1:/etc/bind/zones# ps auxw|grep named<br>
bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01
/usr/sbin/named -f -4 -u bind<br>
root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00
grep named<br>
</p>
<p>It look to me like the user is "bind"</p>
<p>I also have:<br>
drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones</p>
<p>I have added write permission for the bind group.</p>
<p>I have also tried to change owner to bind, same result.</p>
<p>I have .key .private and .state files is /var/cache/bind</p>
<p>What does these errors mean?<br>
I assume that the files that it tries to write are supposed to be
written(?)</p>
<p>And why is it rejected?</p>
<p>BR<br>
Danjel<br>
</p>
<div>On 12-03-2025 23:49, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite">
<pre>I shouldn’t have tried to write that on the phone from memory.
dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
zone "<a href="http://jungersen.dk" target="_blank">jungersen.dk</a>” {
type master;
file "/etc/bind/zones/<a href="http://db.jungersen.dk" target="_blank">db.jungersen.dk</a>”;
allow-transfer { 192.168.20.11; };
dnssec-policy "unlimited";
};
Mark
</pre>
<blockquote type="cite">
<pre>On 13 Mar 2025, at 09:13, Danjel Jungersen <a href="mailto:danjel@jungersen.dk" target="_blank"><danjel@jungersen.dk></a> wrote:
On 20-02-2025 08:40, Mark Andrews wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre>The zone is available publicly, but from public serveres not hosted by me (<a href="http://one.com" target="_blank">one.com</a>).
And points to my external ip.
My internal bind redirects local traffic directly to local servers on local ip's.
</pre>
</blockquote>
<pre>DNSSEC is designed to stop spoofed answers being accepted. When you create a local zone that overrides what is in the public zones you are effectively spoofing answers. As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:
1) create a working chain of trust that links to your private zone content
Long 1 is the best long term solution....
</pre>
</blockquote>
<pre>So this is the way I will try to go.
</pre>
<blockquote type="cite">
<pre>You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
<a href="http://jungersen.dk" target="_blank">jungersen.dk</a>. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3. This will add a DNSKEY record to the zone and cause it to be signed. You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.
You will need to do some reading first. Others here can give you more advice.
</pre>
</blockquote>
<pre>I have now read a lot, and I think that actually understood some of it.
I have:
zone "<a href="http://jungersen.dk" target="_blank">jungersen.dk</a>" {
type master;
file "/etc/bind/zones/<a href="http://db.jungersen.dk" target="_blank">db.jungersen.dk</a>";
allow-transfer { 192.168.20.11; };
dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
in named.conf.local
I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
Line 15 is the dnssec-policy line.
If I uncomment this line all is well.
Can anyone tell me what is wrong with this line?
I have copy pasted it from the suggestion, and have read some online, to me it looks good.
????
BR
Danjel
</pre>
</blockquote>
<pre></pre>
</blockquote>
<div>-- <br>
Med venlig hilsen/Kind regards<br>
Danjel Jungersen<br>
Mail: <a href="mailto:danjel@jungersen.dk" target="_blank">danjel@jungersen.dk</a><br>
Mobile: +45 20 42 20 11<br>
<br>
Jungersen Grafisk ApS,<br>
Holsbjergvej 39, DK-2620 Albertslund,<br>
Denmark.<br>
Tel: +45 43 64 10 00<br>
<br>
<a href="https://www.printlight.dk" target="_blank">WEBSHOP:
PRINTLIGHT.DK</a> | <a href="https://www.jungersen.dk" target="_blank">WWW.JUNGERSEN.DK</a> <br>
<br>
<a href="https://www.jungersen.dk" target="_blank"> <img src="cid:ii_1959aaf6d4034589e5e1" alt="Logo" width="125" height="152" border="0"></a> </div>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div>