BIND permission errors

debian domain-name-system bind dyndns nameserver

I've been trying to use nsupdate to dynamiclly update my nameservers records.

I get a serverfail when i attempt it. This is from the syslogs.

Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: signer "www.mydomain.com" approved
Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: updating zone 'mydomain.com/IN': adding an RR at 'client$
Nov 12 08:00:53 ps133045 named[14314]: /etc/bind/zones/mydomain.com.zone.jnl: create: permission denied
Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: updating zone 'mydomain.com/IN': error: journal open fai$

So I figured it was permissions, so to test I gave both /var/named and /etc/bind chmod 666

Didn't help, so I created the mydomain.com.zone.jnl file and chmod 600 it and thought that would do, I also did chown bind:bind and root:bind, but I still get the same error in both cases.

Now I can't even restart bind due to this error

Nov 12 08:40:10 ps133045 named[21169]: loading configuration from '/etc/bind/named.conf'
Nov 12 08:40:10 ps133045 named[21169]: /etc/bind/named.conf.local:9: open: /var/named/dnskeys.conf: permission denied
Nov 12 08:40:10 ps133045 named[21169]: loading configuration: permission denied
Nov 12 08:40:10 ps133045 named[21169]: exiting (due to fatal error)

I really don't understand these permission errors, in both cases I've tried chmod 666 on the files and chown bind:bind or root:bind. Still I get the errors.

Here are the directory rights

/var/named

drw-rw-rw-  2 root bind  121 Nov 12 08:53 .
drwxr-xr-x 15 root root 4.0K Nov 11 16:24 ..
-rw-------  1 root root   59 Nov 11 16:48 Kwww.mydomain.com.+157.17183.key
-rw-------  1 root root  165 Nov 11 16:49 Kwww.mydomain.com.+157.17183.private
-rw-------  1 root bind  126 Nov 12 08:53 dnskeys.conf

/etc/bind

drwxrwsrwx   3 root bind 4.0K Nov 11 17:31 .
drwxr-xr-x 115 root root 8.0K Nov 10 04:59 ..
-rw-r--r--   1 root root 2.5K Oct 20 10:46 bind.keys
-rw-r--r--   1 root root  237 Oct 20 10:46 db.0
-rw-r--r--   1 root root  271 Oct 20 10:46 db.127
-rw-r--r--   1 root root  237 Oct 20 10:46 db.255
-rw-r--r--   1 root root  353 Oct 20 10:46 db.empty
-rw-r--r--   1 root root  270 Oct 20 10:46 db.local
-rw-r--r--   1 root root 3.0K Oct 20 10:46 db.root
-r--r--r--   1 root bind    3 Nov 10 05:07 jam.sh
-rw-r--r--   1 root bind  463 Nov 11 05:15 named.conf
-rw-r--r--   1 root bind  490 Oct 20 10:46 named.conf.default-zones
-rwxr-xr-x   1 root bind  503 Nov 12 09:01 named.conf.local
-rwxr-xr-x   1 root bind  462 Nov 11 17:30 named.conf.local.bak
-rw-r--r--   1 root bind  572 Oct 20 10:46 named.conf.options
-rw-r-----   1 bind bind   77 Nov 10 04:59 rndc.key
drw-rwSrw-   2 root bind  109 Nov 12 08:26 zones
-rw-r--r--   1 root root 1.3K Oct 20 10:46 zones.rfc1918

/etc/bind/zones

drw-rwSrw- 2 root bind  109 Nov 12 08:26 .
drwxrwsrwx 3 root bind 4.0K Nov 11 17:31 ..
-r--r--r-- 1 root bind  402 Nov 11 11:07 mydomain.com.zone
-rw-rw-rw- 1 bind bind    0 Nov 12 08:26 mydomain.com.zone.jnl
-r--r--r-- 1 root bind  377 Nov 11 11:06 rev.241.205.33.66.in-addr.arpa

Any help or guidance would be greatly appreciated, thanks in advance!


Solution 1:

The error message is actually rather self-explanatory:

/etc/bind/named.conf.local:9: open: /var/named/dnskeys.conf: permission denied

The named process is normally running as a restricted user (probably bind), which does not have access to the file dnskeys.conf (with the current permissions the file can only be accessed by the user root):

-rw------- 1 root bind 126 Nov 12 08:53 dnskeys.conf

Either change permissions on that file to 640, so that the group bind has read access,

chmod g+r /var/named/dnskeys.conf

or change the owner of the file to the user running the named process:

chown bind /var/named/dnskeys.conf

As others have pointed out you should definitely NOT make the file world-readable, much less world-writable.

Solution 2:

This looks to me like an AppArmor problem. Try setting it to permissive temporarily and see if the problem goes away.

By default, the Bind/Named daemon does not have permission to write to the zone files in /etc. It can only read them. Therefore, the nsupdate process cannot write to them either.

If you're dynamically updating your DNS, you should store your zone files in /var/lib/bind instead - https://help.ubuntu.com/14.04/serverguide/dns-configuration.html#dns-primarymaster-configuration

Apt installer should have already created this directory with the correct permissions and AppArmor context.

Related

Is it possible to run IIS7 on Windows Server 2003?
Office Server Room With Bad HVAC Affecting Lungs [closed]
Laggy server, seems iptables is doing the load
How to set a per-user resolv.conf
Is a hardware watchdog already active at my CentOS server?
Is there any such error logged by CentOS somewhere that can conclusively reveal "it is now time to pay for ECC"
What domain name should appear in a DKIM signature?
Upgrading SSL library does not fix heartbleed
Can't allow users to log in via SSH (Bash, OpenSSH, CentOS 6.5)
Is there a technology similar to Docker Containers for Windows Server?
wmic: error when setting remote desktop self-signed certificate
Purpose of vent holes on the top of rackmount servers?