<!DOCTYPE html><html><body><div dir="auto"><br><br><br>>I would either change ownership of "/etc/bind" and all files and folders<br>>below that from "root" to "bind", or, if the group for user "bind" is also<br>>"bind", leave ownership as root but change group permissions to rwx for<br>>everything "/etc/bind" and below. You could try starting with just<br>>"/etc/bind" and see if that helps. Then continue down if not.<br>><br>>Some more Linux-savvy people will no doubt have something to say on the<br>>matter :)<br><br>I read somewhere online that it makes sense to use /var/lib/bind or /var/cache/bind for signed zones.<br><br>???<br><br>If bind should be denied write access to /etc/... maybe this is the way to go?<br><br>:-)<br>Danjel<br><br>><br>>Cheers, Greg<br>><br>>On Sat, 15 Mar 2025 at 21:25, Danjel Jungersen via bind-users <<br>>bind-users@lists.isc.org> wrote:<br>><br>>> Off-list I was asked.....<br>>><br>>> root@ns1:/etc/bind# ls -la<br>>> total 60<br>>> drwxr-sr-x 3 root bind 4096 Mar 15 16:31 .<br>>> drwxr-xr-x 71 root root 4096 Jan 6 08:40 ..<br>>> -rw-r--r-- 1 root root 2403 Jul 27 2024 bind.keys<br>>> -rw-r--r-- 1 root root 255 Jul 27 2024 db.0<br>>> -rw-r--r-- 1 root root 271 Jul 27 2024 db.127<br>>> -rw-r--r-- 1 root root 237 Jul 27 2024 db.255<br>>> -rw-r--r-- 1 root root 353 Jul 27 2024 db.empty<br>>> -rw-r--r-- 1 root root 270 Jul 27 2024 db.local<br>>> -rw-r--r-- 1 root bind 458 Jul 27 2024 named.conf<br>>> -rw-r--r-- 1 root bind 498 Jul 27 2024 named.conf.default-zones<br>>> -rw-r--r-- 1 root bind 737 Mar 13 08:41 named.conf.local<br>>> -rw-r--r-- 1 root bind 950 Jan 30 08:58 named.conf.options<br>>> -rw-r----- 1 bind bind 100 Jan 3 15:27 rndc.key<br>>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones<br>>> -rw-r--r-- 1 root root 1317 Jul 27 2024 zones.rfc1918<br>>><br>>> root@ns1:/etc/bind/zones# ls -la<br>>> total 20<br>>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 .<br>>> drwxr-sr-x 3 root bind 4096 Mar 15 16:31 ..<br>>> -rw-rw-r-- 1 root bind 445 Jan 5 17:58 db.192.168<br>>> -rw-rw-r-- 1 root bind 509 Jan 5 17:12 db.jg1.jungersen.dk<br>>> -rw-rw-r-- 1 root bind 681 Mar 15 16:54 db.jungersen.dk<br>>><br>>> I was also aksed about the setgid bit, I have no reason/explanation for it.<br>>> Nor do I have any special wishes, so if it is best practice to do it<br>>> differently, I can change it.<br>>><br>>> Apparmor was also mentioned, I have no experience with that, and have not<br>>> changed it in any way (to my knowledge)...<br>>><br>>> if I have opened up too much in my effort to make it work, please let me<br>>> know, I wish to keep it as tight as possible.<br>>><br>>> :-)<br>>> Danjel<br>>><br>>><br>>> On 15-03-2025 17:31, Danjel Jungersen via bind-users wrote:<br>>><br>>> I'm so sorry, but I have to trouble you guys again.<br>>><br>>> The help below helped, I have no errors from checkconf or checkzone, but<br>>> from journalctl I get:<br>>> /etc/bind/zones/db.jungersen.dk.jbk: create: permission denied<br>>> and<br>>> /etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied<br>>><br>>> and some more, but I think these 2 are the causes.<br>>><br>>> But if I try:<br>>> root@ns1:/etc/bind/zones# ps auxw|grep named<br>>> bind 57446 0.1 1.2 147948 48140 ? Ssl 17:12 0:01<br>>> /usr/sbin/named -f -4 -u bind<br>>> root 57472 0.0 0.0 6332 2036 pts/1 S+ 17:21 0:00 grep<br>>> named<br>>><br>>> It look to me like the user is "bind"<br>>><br>>> I also have:<br>>> drwxrwsr-x 2 root bind 4096 Mar 15 16:54 zones<br>>><br>>> I have added write permission for the bind group.<br>>><br>>> I have also tried to change owner to bind, same result.<br>>><br>>> I have .key .private and .state files is /var/cache/bind<br>>><br>>> What does these errors mean?<br>>> I assume that the files that it tries to write are supposed to be<br>>> written(?)<br>>><br>>> And why is it rejected?<br>>><br>>> BR<br>>> Danjel<br>>> On 12-03-2025 23:49, Mark Andrews wrote:<br>>><br>>> I shouldn’t have tried to write that on the phone from memory.<br>>><br>>> dnssec-policy “unlimited” {<br>>> keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };<br>>> };<br>>><br>>> zone "jungersen.dk” {<br>>> type master;<br>>> file "/etc/bind/zones/db.jungersen.dk”;<br>>> allow-transfer { 192.168.20.11; };<br>>> dnssec-policy "unlimited";<br>>> };<br>>><br>>> Mark<br>>><br>>><br>>> On 13 Mar 2025, at 09:13, Danjel Jungersen <danjel@jungersen.dk> <danjel@jungersen.dk> wrote:<br>>><br>>> On 20-02-2025 08:40, Mark Andrews wrote:<br>>><br>>> The zone is available publicly, but from public serveres not hosted by me (one.com).<br>>> And points to my external ip.<br>>> My internal bind redirects local traffic directly to local servers on local ip's.<br>>><br>>> DNSSEC is designed to stop spoofed answers being accepted. When you create a local zone that overrides what is in the public zones you are effectively spoofing answers. As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:<br>>><br>>> 1) create a working chain of trust that links to your private zone content<br>>> Long 1 is the best long term solution....<br>>><br>>> So this is the way I will try to go.<br>>><br>>> You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.<br>>> jungersen.dk. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52<br>>><br>>> I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3. This will add a DNSKEY record to the zone and cause it to be signed. You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.<br>>><br>>> You will need to do some reading first. Others here can give you more advice.<br>>><br>>><br>>> I have now read a lot, and I think that actually understood some of it.<br>>><br>>> I have:<br>>> zone "jungersen.dk" {<br>>> type master;<br>>> file "/etc/bind/zones/db.jungersen.dk";<br>>> allow-transfer { 192.168.20.11; };<br>>> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };<br>>> };<br>>><br>>> in named.conf.local<br>>><br>>> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'<br>>><br>>> Line 15 is the dnssec-policy line.<br>>><br>>> If I uncomment this line all is well.<br>>><br>>> Can anyone tell me what is wrong with this line?<br>>> I have copy pasted it from the suggestion, and have read some online, to me it looks good.<br>>><br>>> ????<br>>><br>>> BR<br>>> Danjel<br>>><br>>><br>>> --<br>>> Med venlig hilsen/Kind regards<br>>> Danjel Jungersen<br>>> Mail: danjel@jungersen.dk<br>>> Mobile: +45 20 42 20 11<br>>><br>>> Jungersen Grafisk ApS,<br>>> Holsbjergvej 39, DK-2620 Albertslund,<br>>> Denmark.<br>>> Tel: +45 43 64 10 00<br>>><br>>> WEBSHOP: PRINTLIGHT.DK <<a href="https://www.printlight.dk">https://www.printlight.dk</a>> | WWW.JUNGERSEN.DK<br>>> <<a href="https://www.jungersen.dk">https://www.jungersen.dk</a>><br>>><br>>> [image: Logo] <<a href="https://www.jungersen.dk">https://www.jungersen.dk</a>><br>>><br>>> --<br>>> Med venlig hilsen/Kind regards<br>>> Danjel Jungersen<br>>> Mail: danjel@jungersen.dk<br>>> Mobile: +45 20 42 20 11<br>>><br>>> Jungersen Grafisk ApS,<br>>> Holsbjergvej 39, DK-2620 Albertslund,<br>>> Denmark.<br>>> Tel: +45 43 64 10 00<br>>><br>>> WEBSHOP: PRINTLIGHT.DK <<a href="https://www.printlight.dk">https://www.printlight.dk</a>> | WWW.JUNGERSEN.DK<br>>> <<a href="https://www.jungersen.dk">https://www.jungersen.dk</a>><br>>><br>>> [image: Logo] <<a href="https://www.jungersen.dk">https://www.jungersen.dk</a>><br>>> --<br>>> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe<br>>> from this list<br>>><br>>> ISC funds the development of this software with paid support<br>>> subscriptions. Contact us at <a href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more<br>>> information.<br>>><br>>><br>>> bind-users mailing list<br>>> bind-users@lists.isc.org<br>>> <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>>><br></div></body></html>