0

I followed the exact tutorial from here https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#easy-start-guide-for-authoritative-servers to set up DNSSEC on my domain domain.example.com.

When I try to do the validation of my setup using delv, I get an error. The following is my validation step:

user@nameserver:/etc/bind$ delv @10.10.10.10 -a keys/tmp/example.key +root=domain.example.com domain.example.com. SOA +multiline
;; resolution failed: ncache nxdomain
; negative response, unsigned answer
; domain.example.com. 300   IN \-ANY ;-$NXDOMAIN
; example.com. SOA a.ns.joker.com. hostmaster.joker.com. 2011082265 14400 3600 604800 300

and when I check the log files I see the following output:

Mär 05 22:27:30 nameserver named[74793]: zone domain.example.com/IN (signed): reconfiguring zone keys
Mär 05 22:27:30 nameserver named[74793]: zone domain.example.com/IN (signed): next key event: 05-Mar-2021 23:27:30.591
Mär 05 22:27:30 nameserver named[74793]: dumping master file: /etc/bind/zones/tmp-TELhWOSOza: open: permission denied
Mär 05 22:27:30 nameserver named[74793]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.
Mär 05 22:27:30 nameserver named[74793]: resolver priming query complete
Mär 05 22:30:45 nameserver named[74793]: client @0x7f584800a550 1.1.1.1#36082 (domain.example.com): query: domain.example.com IN A -E(0)DC (10.10.10.10) [ECS 10.10.10.0/24/0]
Mär 05 22:30:53 nameserver named[74793]: client @0x7f584800a550 1.1.1.2#56781 (domain.example.com): query: domain.example.com IN A -E(0)DC (10.10.10.10) [ECS 10.10.10.0/24/0]
Mär 05 22:41:12 nameserver named[74793]: dumping master file: /etc/bind/zones/tmp-mlDktgv0MJ: open: permission denied
Mär 05 22:56:00 nameserver named[74793]: dumping master file: /etc/bind/zones/tmp-RuJ2bQd0qY: open: permission denied
Mär 05 23:23:17 nameserver named[74793]: client @0x7f584800a550 10.10.10.10#60252 (domain.example.com): query: domain.example.com IN SOA +E(0)DK (10.10.10.10)

Edit:

the only thing I had to do differently is in the options section I left the default directory "/var/cache/bind"; else I would get other error messages.

OS is Ubuntu 20.04.2

Mnemosyne
  • 127
  • 5
  • Have a look at the `open: permission denied` lines - check your filesystem permissions for bind. – fuero Mar 05 '21 at 22:38

1 Answers1

0

I don't know what OS this is, but it appears that for one reason or another BIND cannot write in /etc/bind/zones, as per:

dumping master file: /etc/bind/zones/tmp-mlDktgv0MJ: open: permission denied

This could either simply be because of filesystem permissions or there may be some additional security policies enforced by something like Selinux or Apparmor as services are conventionally not supposed to be writing under /etc in the first place.

Normally you would have services write files under /var somewhere. For BIND it would be pretty typical to use something like /var/lib/bind.

Unless you have a reason to use the rather unorthodox path of /etc/bind/zones for writable files, you would probably be better off just using whatever directory the package manager intended (probably something like what I speculated above).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • I checked I have Ubuntu 20.04 on this machine. All the bind files could be found on `/etc/bind/` thats why I did the whole setup there, and the tutorial files pointed to that directory. How do I move the entire files to some other location, just copy the entire folder some place else? Is that even valid? – Mnemosyne Mar 05 '21 at 22:49
  • @Mnemosyne The actual config should be in `/etc/bind` but the zone files generally shouldn't (if you have something that is actually static, that's one thing, I suppose. the packages probably contained some static stuff that it put there) – Håkan Lindqvist Mar 05 '21 at 22:51
  • all the directories you mention are completely empty. named.conf and all the other assorted files (bind.keys, db.* rndc.keys etc) are located by default in /etc/bind/. Do you know how this migration is to be done without breaking bind9 or named paths. What if I were to change the ownership of the /etc/bind/zones folder to be owned and writeable by bind? Would that cause any problem? This is an experimental setup. It's supposed to serve a domain for a few months but not necessarily for longterm. – Mnemosyne Mar 05 '21 at 23:50
  • I moved the zone and key definitions to another folder with full rights for bind and the error messages are gone. There is no error status message anymore. However the delv command still generates the exact same error/servfail. What could be wrong here? – Mnemosyne Mar 07 '21 at 01:41