bind DNS system

BIND 9

DDNS

ddns-confgen -a hmac-sha512 -k dhcp-server-key

cat > /etc/bind/dhcp.key
chown root:bind /etc/bind/dhcp.key
chmod 640 /etc/bind/dhcp.key

include "/etc/bind/dhcp.key";
...

Test update:

nsupdate
zone int.example.com
update add kupa.int.example.com. 300 A 1.2.3.4
show
send

named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': adding an RR at 'kupa.int.example.com' A 1.2.3.4
audit[22943]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106
named[22943]: master/zone-int.example.com.jnl: create: permission denied
named[22943]: client @0x7f1d14623b10 192.168.64.100#19403: view internal: updating zone 'int.example.com/IN': error: journal open failed: unexpected error
kernel: audit: type=1400 audit(1621169400.739:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/master/zone-int.example.com.jnl" pid=22943 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

• Reason: by design app armor blocks modification of persistent cofnfig dir /etc. It should be done inside /var/lib/bind. In Debian, app armor is configured as:
  • /etc/bind should be read-only for bind
  • /var/lib/bind is for dynamically updated zone (and journal) files.
  • /var/cache/bind is for slave/stub data, since we're not the origin of it.
• Solutions:
  • Create symbolic links (see DNS Server Configuration
  • modify app armor:

/etc/apparmor.d/local/usr.sbin.named

/etc/bind/zones/** rw,