I'm learning how to use secondary zones (so ns2 is not mirror of ns1). I think I have set up correctly, but on the ns2 name server I get errors. from syslog: Code: Feb 24 13:49:23 ns2 named[7079]: zone taleman.tld/IN: sending notifies (serial 2021022403) Feb 24 13:49:23 ns2 named[7079]: dumping master file: /etc/bind/slave/tmp-rD9IMwozMi: open: permission denied Feb 24 13:49:23 ns2 kernel: [773722.333467] audit: type=1400 audit(1614167363.582:13): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/slave/tmp-rD9IMwozMi" pid=7079 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Zone is transferred to ns2 (and it does answer queries for that zone), but ns2 can not write the zone to file. I have not set up Apparmor in any way, but I did not know apparmor is configured to do something with bind9. File permissions, should owner be bind and not root? Code: root@ns2:/etc/bind# ls -lhd slave drwxrws--- 3 root bind 4,0K helmi 24 12:53 slave root@ns2:/etc/bind# ls -lha slave yhteensä 12K drwxrws--- 3 root bind 4,0K helmi 24 12:53 . drwxr-sr-x 3 root bind 4,0K helmi 15 14:47 .. drwxr-s--- 2 root bind 4,0K helmi 24 12:53 sec. root@ns2:/etc/bind# README.Debian.gz for bind9 states: So that says the secondary zone files should not be in /etc/bind/slave, but in /var/cache/bind. Makes sense to me. But I got this in named.conf.local Code: zone "taleman.tld" { type slave; masters {33.44.55.102;}; allow-transfer {none;}; file "/etc/bind/slave/sec.taleman.tld"; }; I'm trying to undersand apparmor config for bind next. Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] uptime: 14:51:17 up 8 days, 23:58, 2 users, load average: 0,12, 0,03, 0,01 [INFO] memory: total used free shared buff/cache available Mem: 1,9Gi 1,2Gi 209Mi 22Mi 585Mi 620Mi Swap: 3,7Gi 73Mi 3,7Gi [INFO] systemd failed services status: 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.2 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.19-1~deb10u1 ##### PORT CHECK ##### [WARN] Port 8080 (ISPConfig) seems NOT to be listening [WARN] Port 8081 (ISPConfig Apps) seems NOT to be listening [WARN] Port 443 (Webserver SSL) seems NOT to be listening [WARN] Port 143 (IMAP server) seems NOT to be listening [WARN] Port 993 (IMAP server SSL) seems NOT to be listening [WARN] Port 110 (POP3 server) seems NOT to be listening [WARN] Port 995 (POP3 server SSL) seems NOT to be listening [WARN] Port 465 (SMTP server SSL) seems NOT to be listening [WARN] Port 21 (FTP server) seems NOT to be listening
I modified the zone to be stored in /var/cache/bind instead: Code: root@ns2:/etc/bind# diff /var/tmp/named.conf.local named.conf.local 6c6 < file "/etc/bind/slave/sec.taleman.tld"; --- > file "/var/cache/bind/slave/sec.taleman.tld"; root@ns2:/etc/bind# ls -lh /var/cache/bind/slave/sec.taleman.tld -rw-r--r-- 1 bind bind 431 helmi 24 15:26 /var/cache/bind/slave/sec.taleman.tld root@ns2:/etc/bind# There the file can be written, and no errors any more in kern.log or syslog. Apparmor configuration for bind has Code: /var/cache/bind/** lrw, /var/cache/bind/ rw, so creating files in /var/cache bind is no problem. Now question: How can I get ISPConfig or whatever it is that creates the secondary zone file to use /var/cache/bind instead of /etc/bind/slave?
Can you just add /etc/bind/slave in the apparmor config? Possibly adding the 'c' flag (I'm not terribly familiar with apparmor).
Both Apparmor and Bind documentation state the secondary zone files do not belong in /etc/bind, but in /var/bind/cache. I agree with that. I like to avoid doing stuff that the application developer or debian maintainer advices against. I tried modifying apparmor, docs tell me to add modifications to file /etc/apparmor.d/local/usr.sbin.named Code: cat /etc/apparmor.d/local/usr.sbin.named /etc/bind/slave/** lrw, /etc/bind/slave/ rw, That does not work, no file is written to /etc/bind/slave. Do not know why, maybe apparmor syntax is obscure.
I try to avoid that, if I can get the seconrary zones to work with apparmor. I tried to find the part of ispconfig code that writes the secondary zone file but no luck so far. I noticed the /etc/bind/named.conf.local gets rewritten every time I edit a zone in ns1, so modifying that file is not going to work. Is the /etc/bind/slave hardcoded in ISPConfig somewhere?
Yeah, makes sense. The bind_plugin.inc.php generates this path based on the zonefiles path you set in server config (eg. /etc/bind), with slave appended to it. There is no way you can change that without modifying the php code. You might be able to create a symlink from /etc/bind/slave/ to /var/bind/cache.
I ended up making symbolic link from /etc/bind/slave to /var/cache/bind/slave (thanks @Jesse Norell , I should have remembered this trick). Also added this file: Code: cat /etc/apparmor.d/local/usr.sbin.named /etc/bind/slave/** lrw, /etc/bind/slave/ rw, This way it works with apparmor.