====== bind DNS system ======
[[https://www.isc.org/bind/| BIND 9]]
===== host names update from DHCP =====
[[https://wiki.debian.org/DDNS|DDNS]]
ddns-confgen -a hmac-sha512 -k dhcp-server-key
cat > /etc/bind/dhcp.key
chown root:bind /etc/bind/dhcp.key
chmod 640 /etc/bind/dhcp.key
include "/etc/bind/dhcp.key";
...
Test update:
nsupdate
zone int.example.com
update add kupa.int.example.com. 300 A 1.2.3.4
show
send
==== Issue: error: journal open failed ====
named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': adding an RR at 'kupa.int.example.com' A 1.2.3.4
audit[22943]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106
named[22943]: master/zone-int.example.com.jnl: create: permission denied
named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': error: journal open failed: unexpected error
kernel: audit: type=1400 audit(1621169400.739:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106
* Reason: by design app armor blocks modification of persistent cofnfig dir ''/etc''. It should be done inside ''/var/lib/bind''. In Debian, app armor is configured as:
* /etc/bind should be read-only for bind
* /var/lib/bind is for dynamically updated zone (and journal) files.
* /var/cache/bind is for slave/stub data, since we're not the origin of it.
* Solutions:
* Create symbolic links (see [[https://wiki.debian.org/DDNS#DNS_Server_Configuration|DNS Server Configuration]]
* modify app armor:
/etc/bind/zones/** rw,