Hello Olivier, On 10/1/20 5:27 PM, Olivier wrote: > Hello, > > Thank you all for replying ! > > Thanks to your suggestions, creating an /etc/bind/subdir directory, and > tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update > Bind9 entries. It depends, whether zone data are considered data (and belong to /var/lib/bind instead), or configuration. When it is updated by named, I think it is data. And you should just make symlink to /var/lib/bind or its subdirectory. It is already prepared for that.
Or just use full paths to /var/lib/bind in zone definitions. > > 1. I'm hesitant to file a bug on Debian about this. As this both involves > Bind9 and AppArmor, would you say it deserves to be implemented and > documented in default Bind9 installation or that it is too specific for > this ? I doubt it. It is documented in /usr/share/doc/bind9/README.Debian, where should it belong. It clearly states any zone with dynamic updates should belong to /var/lib/bind. Of course you can customize it, but then also AppArmor has to be adjusted. > > 2. If it deserves to to be implemented, how would you name this > /etc/bind/subdir directory ? > I personally used "/etc/bind/ddns-zones" but surely there exist > alternatives that better describe the purpose of this directory (hosting > config that bind9 needs to rewrite) such as : > writable_conf > rw_conf > rwconf just (cd /etc/bind && ln -s ../../var/lib/bind ddns-zones) should be enough. > > Detailed steps I followed on Debian Buster to work around the issue were: > > mkdir /etc/bind/ddns-zones > chown root:bind /etc/bind/ddns-zones > # I don't know if plain 775 better fits. Comments welcome > chmod 2775 /etc/bind/ddns-zones > > Adding into /etc/apparmor.d/usr.sbin.named, a line: > /etc/bind/ddns-zones/** rw, > > before line > /etc/bind/** r, > > Best regards > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users