1

Rather than putting all my zones in one named.conf.local file, I'd like to have them in groups that I can manage as separate files. So, I've tried putting the following into named.conf.local:

include "/home/zones/group1.conf";
include "/home/zones/group2.conf";
include "/home/zones/group3.conf";

However, when I restart named, I see "permission denied" errors in the logs. Ubuntu uses apparmor for bind, so I also added the following in /etc/apparmor.d/usr.sbin.named:

/home/zones/group1.conf r,
/home/zones/group1.conf r,
/home/zones/group1.conf r,

Now, when I re-start named, all appears to be well. Zones are loaded (I think). However, a day or two later, I see my secondary name server complaining that the primary is telling it that it's not authoritative for those domains. I then have to put all the domains back into the named.conf.local file again.

How can I get bind9 to use include files in this way? I don't know much about apparmor, so that may or may not be the issue here, but I've used include files in this way on Debian OK.

Gilgongo
  • 45
  • 4

1 Answers1

0

Did you run service apparmor reload after changing the AppArmor configuration? If so, and there are no permission errors in the logs, then I would suspect the actual bind config. Are you including those files in the same place as when you directly define them? Does bind respond for those domains when you query it directly?

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • I reloaded the apparmor profiles. The paths to the actual zone files and such are the same both when I have them in the include files and when they are in named.conf.local (or named.conf - I've tried both). What's also odd is that if bind can't read the include files I would expect to see a bunch of "zone removed" notices in the logs on reload, but I don't. – Gilgongo Apr 16 '12 at 19:27