BIND permission errors

Question

I've been trying to use nsupdate to dynamiclly update my nameservers records.

I get a serverfail when i attempt it. This is from the syslogs.

Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: signer "www.mydomain.com" approved
Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: updating zone 'mydomain.com/IN': adding an RR at 'client$
Nov 12 08:00:53 ps133045 named[14314]: /etc/bind/zones/mydomain.com.zone.jnl: create: permission denied
Nov 12 08:00:53 ps133045 named[14314]: client 78.72.53.42#50135: updating zone 'mydomain.com/IN': error: journal open fai$

So I figured it was permissions, so to test I gave both /var/named and /etc/bind chmod 666

Didn't help, so I created the mydomain.com.zone.jnl file and chmod 600 it and thought that would do, I also did chown bind:bind and root:bind, but I still get the same error in both cases.

Now I can't even restart bind due to this error

Nov 12 08:40:10 ps133045 named[21169]: loading configuration from '/etc/bind/named.conf'
Nov 12 08:40:10 ps133045 named[21169]: /etc/bind/named.conf.local:9: open: /var/named/dnskeys.conf: permission denied
Nov 12 08:40:10 ps133045 named[21169]: loading configuration: permission denied
Nov 12 08:40:10 ps133045 named[21169]: exiting (due to fatal error)

I really don't understand these permission errors, in both cases I've tried chmod 666 on the files and chown bind:bind or root:bind. Still I get the errors.

Here are the directory rights

/var/named

drw-rw-rw-  2 root bind  121 Nov 12 08:53 .
drwxr-xr-x 15 root root 4.0K Nov 11 16:24 ..
-rw-------  1 root root   59 Nov 11 16:48 Kwww.mydomain.com.+157.17183.key
-rw-------  1 root root  165 Nov 11 16:49 Kwww.mydomain.com.+157.17183.private
-rw-------  1 root bind  126 Nov 12 08:53 dnskeys.conf

/etc/bind

drwxrwsrwx   3 root bind 4.0K Nov 11 17:31 .
drwxr-xr-x 115 root root 8.0K Nov 10 04:59 ..
-rw-r--r--   1 root root 2.5K Oct 20 10:46 bind.keys
-rw-r--r--   1 root root  237 Oct 20 10:46 db.0
-rw-r--r--   1 root root  271 Oct 20 10:46 db.127
-rw-r--r--   1 root root  237 Oct 20 10:46 db.255
-rw-r--r--   1 root root  353 Oct 20 10:46 db.empty
-rw-r--r--   1 root root  270 Oct 20 10:46 db.local
-rw-r--r--   1 root root 3.0K Oct 20 10:46 db.root
-r--r--r--   1 root bind    3 Nov 10 05:07 jam.sh
-rw-r--r--   1 root bind  463 Nov 11 05:15 named.conf
-rw-r--r--   1 root bind  490 Oct 20 10:46 named.conf.default-zones
-rwxr-xr-x   1 root bind  503 Nov 12 09:01 named.conf.local
-rwxr-xr-x   1 root bind  462 Nov 11 17:30 named.conf.local.bak
-rw-r--r--   1 root bind  572 Oct 20 10:46 named.conf.options
-rw-r-----   1 bind bind   77 Nov 10 04:59 rndc.key
drw-rwSrw-   2 root bind  109 Nov 12 08:26 zones
-rw-r--r--   1 root root 1.3K Oct 20 10:46 zones.rfc1918

/etc/bind/zones

drw-rwSrw- 2 root bind  109 Nov 12 08:26 .
drwxrwsrwx 3 root bind 4.0K Nov 11 17:31 ..
-r--r--r-- 1 root bind  402 Nov 11 11:07 mydomain.com.zone
-rw-rw-rw- 1 bind bind    0 Nov 12 08:26 mydomain.com.zone.jnl
-r--r--r-- 1 root bind  377 Nov 11 11:06 rev.241.205.33.66.in-addr.arpa

Any help or guidance would be greatly appreciated, thanks in advance!

I'm not sure about all of this, but the permissions on `/var/named` are wildly wrong: 666 is very bad for a directory! Try 775, and `chmod 770 /var/named/dnskeys.conf; chown bind:bind /var/named/dnskeys.conf` while you're at it. — MadHatter, Nov 12 '12 at 17:19
That fixed the bind startup at least so thanks for the heads up :) — Thuy, Nov 12 '12 at 17:41

Andy Foster · Answer 1 · 2022-03-13T19:26:25.360

This looks to me like an AppArmor problem. Try setting it to permissive temporarily and see if the problem goes away.

By default, the Bind/Named daemon does not have permission to write to the zone files in /etc. It can only read them. Therefore, the nsupdate process cannot write to them either.

If you're dynamically updating your DNS, you should store your zone files in /var/lib/bind instead, as documented in this guide.

If bind will be receiving automatic updates to the file as with DDNS, then use /var/lib/bind/db.example.com rather than /etc/bind/db.example.com

Apt installer should have already created this directory with the correct permissions and AppArmor context.

This should be the accepted answer – John Weldon Sep 13 '17 at 23:47 — John Weldon, Sep 13 '17 at 23:47

score 5 · Accepted Answer · answered Nov 12 '12 at 17:43

The error message is actually rather self-explanatory:

/etc/bind/named.conf.local:9: open: /var/named/dnskeys.conf: permission denied

The named process is normally running as a restricted user (probably bind), which does not have access to the file dnskeys.conf (with the current permissions the file can only be accessed by the user root):

-rw------- 1 root bind 126 Nov 12 08:53 dnskeys.conf

Either change permissions on that file to 640, so that the group bind has read access,

chmod g+r /var/named/dnskeys.conf

or change the owner of the file to the user running the named process:

chown bind /var/named/dnskeys.conf

As others have pointed out you should definitely NOT make the file world-readable, much less world-writable.

You're absolutely right, I didn't set the permissions correctly for /etc/bind/zones which made the permissions for the .jpl file in it rather useless. Now it actually seems to work, here is the DNS chart for resolving client1.epnddns.com currently, which is a A record I just added with nsupdate http://ip.seveas.net/dnsgraph/png/client1.epnddns.com/?skip_.=on&show_A=Show it doesn't resolve in my browser yet but I gotta update my ns4 server first I assume. — Thuy, Nov 12 '12 at 17:57

score 0 · Answer 3 · answered Nov 12 '12 at 17:36

0

Aside from the filesystem level permissions you mention above, you need to configure bind to allow these remote updates using the allow-update directive.

http://www.zytrax.com/books/dns/ch7/xfer.html

answered Nov 12 '12 at 17:36

dmourati

24,720
2
40
69

BIND permission errors

3 Answers3