3

i've been trying to set up a domain that can be updated. i'm using bind9, i've used

ddns-confgen -a hmac-sha512 -k <keyname>

to generate my key, i've added the key in /etc/bind/keys.local

key "<keyname>" {
        algorithm hmac-sha512;
        secret "<secret>";
};

my named.conf file looks like this:

include "/etc/bind/keys.local";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

my named.conf.local file looks like this:

zone "<subdomain_name>" {
    type master;
    update-policy {
        grant <keyname> zonesub ANY;
    };
    file "<zone_file>"; # zone file path
};

zone "<reverse_zone>.in-addr.arpa" {
    type master;
    update-policy {
        grant <keyname> zonesub ANY;
    };
    file "<reverse_zone_file>";
};

am i missing something obvious? because when i do:

sudo nsupdate -k <keyfile>
server <dns_server>
zone <subdomain_name>
update add newhost.<subdomain_name> 86400 A <newhost_ip>
send

i end up getting a SERVFAIL response...

dig <dns_server>

and

ping <dns_server>

work correctly, i just cannot get DDNS to work. i've tried responses in other threads like this one, all end up giving me SERVFAIL regardless of what i try. thanks in advance for any suggestions.

edit1: this is the corresponding logs on the server-side when i attempt an nsupdate:

signer "<keyname>" approved
apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/zones/<zone_file>" pid=18799 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112
client <client_ip>#62287/key <keyname>: signer "<keyname>" approved
client 172.30.2.253#62287/key <keyname>: updating zone '<zonename>/IN': adding an RR at 'host3.<zonename>' A <new_host_ip>
/etc/bind/zones/<zone_file>: create: permission denied
client <client_ip>#62287/key <keyname>: updating zone 'aci.riviera.local/IN': error: journal open failed: unexpected error

edit2:

turns out bind group did not have write permissions on /etc/bind ... 

sudo chown -R bind:bind /etc/bind

fixed the problem

HBruijn
  • 84,206
  • 24
  • 145
  • 224
Mazimer
  • 31

2 Answers2

5

Thank you for acting like a sysadmin and posting your server logs rather trying to debug server issues from a client utility alone.

apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/zones/" pid=18799 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112

That seems to indicate that Apparmor is blocking your name server from creating a file in /etc/bind/zones.

The bind name server needs a place to persistently store (in files) dynamic updates and does that by creating .jnl journal files in the directory where your zone files are stored. Apparmor is blocking that operation because, in general, it is a security violation when daemons and services change their own runtime configuration.

Possible solutions:

  • move your zone files to a directory with the correct AppArmor protections.
    On my Ubuntu 16.04 /etc/apparmor.d/usr.sbin.named designates
    /var/lib/bind/ as the conventional alternative to /etc/bind for dynamically updated zone (and journal) files.
  • Override the default AppArmor protections.

Create a local override and allow dynamic updates in /etc/bind/zones:

# /etc/apparmor.d/local/usr.sbin.named 

/etc/bind/zones/** rw,
HBruijn
  • 84,206
  • 24
  • 145
  • 224
0

I had the same issue but my zones file was somewhere else

sudo chown -R bind:bind /var/lib/bind
Martin Luther ETOUMAN NDAMBWE
  • 1