====== bind DNS system ====== [[https://www.isc.org/bind/| BIND 9]] ===== host names update from DHCP ===== [[https://wiki.debian.org/DDNS|DDNS]] ddns-confgen -a hmac-sha512 -k dhcp-server-key cat > /etc/bind/dhcp.key chown root:bind /etc/bind/dhcp.key chmod 640 /etc/bind/dhcp.key include "/etc/bind/dhcp.key"; ... Test update: nsupdate zone int.example.com update add kupa.int.example.com. 300 A 1.2.3.4 show send ==== Issue: error: journal open failed ==== named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': adding an RR at 'kupa.int.example.com' A 1.2.3.4 audit[22943]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106 named[22943]: master/zone-int.example.com.jnl: create: permission denied named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': error: journal open failed: unexpected error kernel: audit: type=1400 audit(1621169400.739:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106 * Reason: by design app armor blocks modification of persistent cofnfig dir ''/etc''. It should be done inside ''/var/lib/bind''. In Debian, app armor is configured as: * /etc/bind should be read-only for bind * /var/lib/bind is for dynamically updated zone (and journal) files. * /var/cache/bind is for slave/stub data, since we're not the origin of it. * Solutions: * Create symbolic links (see [[https://wiki.debian.org/DDNS#DNS_Server_Configuration|DNS Server Configuration]] * modify app armor: /etc/bind/zones/** rw,