Bug#1042959: The line "ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named'" in /lib/systemd/system/named-resolvconf.service causes error "Failed to set DNS configuration: Link lo is loopback device.". This assumes an installed systemd-resolved package.

[monochromec]

Package: bind9
Version: 1:9.18.16-1~deb12u1
Severity: normal




-- System Information:
Debian Release: 12.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.utf8), LANGUAGE=en_US.utf8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                    3.134
ii  bind9-libs                 1:9.18.16-1~deb12u1
ii  bind9-utils                1:9.18.16-1~deb12u1
ii  debconf [debconf-2.0]      1.5.82
ii  dns-root-data              2023010101
ii  init-system-helpers        1.65.2
ii  iproute2                   6.1.0-3
ii  libc6                      2.36-9+deb12u1
ii  libcap2                    1:2.66-4
ii  libfstrm0                  0.6.1-1
ii  libjson-c5                 0.16-2
ii  liblmdb0                   0.9.24-1
ii  libmaxminddb0              1.7.1-1
ii  libnghttp2-14              1.52.0-1
ii  libprotobuf-c1             1.4.1-1+b1
ii  libssl3                    3.0.9-1
ii  libsystemd0                252.12-1~deb12u1
ii  libuv1                     1.44.2-1
ii  libxml2                    2.9.14+dfsg-1.3~deb12u1
ii  lsb-base                   11.6
ii  netbase                    6.4
ii  sysvinit-utils [lsb-base]  3.06-4
ii  zlib1g                     1:1.2.13.dfsg-1

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind-doc                       <none>
ii  bind9-dnsutils [dnsutils]      1:9.18.16-1~deb12u1
ii  dnsutils                       1:9.18.16-1~deb12u1
ii  systemd-resolved [resolvconf]  252.12-1~deb12u1
pn  ufw                            <none>

-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed:
/usr/sbin/named flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** rw,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
  # Database file used by allow-new-zones
  /var/cache/bind/_default.nzd-lock rwk,
  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,
  # ssl
  /etc/ssl/openssl.cnf r,
  # root hints from dns-data-root
  /usr/share/dns/root.* r,
  # GeoIP data files for GeoIP ACLs
  /usr/share/GeoIP/** r,
  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,
  # Allow changing worker thread names
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{PROC}/sys/net/ipv4/ip_local_port_range r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,
  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,
  /var/log/bind/** rw,
  /var/log/bind/ rw,
  # gssapi
  /var/lib/sss/pubconf/krb5.include.d/** r,
  /var/lib/sss/pubconf/krb5.include.d/ r,
  /var/lib/sss/mc/initgroups r,
  /etc/gss/mech.d/ r,
  # ldap
  /etc/ldap/ldap.conf r,
  /{,var/}run/slapd-*.socket rw,
  # dynamic updates
  /var/tmp/DNS_* rw,
  # dyndb backends
  /usr/lib/bind/*.so rm,
  # Samba DLZ
  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf r,
  /var/lib/samba/bind-dns/dns/** rwk,
  /var/lib/samba/private/dns.keytab rk,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,
  owner /var/tmp/krb5_* rwk,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
}

/etc/bind/bind.keys [Errno 13] Permission denied: '/etc/bind/bind.keys'
/etc/bind/db.0 [Errno 13] Permission denied: '/etc/bind/db.0'
/etc/bind/db.127 [Errno 13] Permission denied: '/etc/bind/db.127'
/etc/bind/db.255 [Errno 13] Permission denied: '/etc/bind/db.255'
/etc/bind/db.empty [Errno 13] Permission denied: '/etc/bind/db.empty'
/etc/bind/db.local [Errno 13] Permission denied: '/etc/bind/db.local'
/etc/bind/db.root [Errno 13] Permission denied: '/etc/bind/db.root'
/etc/bind/named.conf [Errno 13] Permission denied: '/etc/bind/named.conf'
/etc/bind/named.conf.default-zones [Errno 13] Permission denied: 
'/etc/bind/named.conf.default-zones'
/etc/bind/named.conf.local [Errno 13] Permission denied: 
'/etc/bind/named.conf.local'
/etc/bind/named.conf.options [Errno 13] Permission denied: 
'/etc/bind/named.conf.options'
/etc/bind/zones.rfc1918 [Errno 13] Permission denied: '/etc/bind/zones.rfc1918'

-- debconf information:
  bind9/start-as-user: bind
  bind9/run-resolvconf: false
  bind9/different-configuration-file:


Possible workaround: replace "lo" with default NIC in the offending
service file / ExecStart invocation.