Package: bind9 Version: 1:9.11.5.P1+dfsg-1 Severity: normal I upgraded from Debian9 tot Debian10 (testing). After this, bind did not start. Syslog says it's AppArmor (see syslog below).
A work-arround is "aa-complain /usr/sbin/named". You need the package apparmor-utils for that. With regards, Paul van der Vlis ----- Feb 11 15:53:50 server systemd[1]: Starting BIND Domain Name Server... Feb 11 15:53:50 server named[8143]: starting BIND 9.11.5-P1-1-Debian (Extended Support Version) <id:647dac6> Feb 11 15:53:50 server named[8143]: running on Linux x86_64 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1 (2019-01-17) Feb 11 15:53:50 server named[8143]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstate dir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux- gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pk cs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--enable-dnstap' '--with-eddsa=no' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-3MF9P u/bind9-9.11.5.P1+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' ' CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Feb 11 15:53:50 server named[8143]: running as: named -u bind Feb 11 15:53:50 server named[8143]: compiled by GCC 8.2.0 Feb 11 15:53:50 server named[8143]: compiled with OpenSSL version: OpenSSL 1.1.1a 20 Nov 2018 Feb 11 15:53:50 server named[8143]: linked to OpenSSL version: OpenSSL 1.1.1a 20 Nov 2018 Feb 11 15:53:50 server named[8143]: compiled with libxml2 version: 2.9.4 Feb 11 15:53:50 server named[8143]: linked to libxml2 version: 20904 Feb 11 15:53:50 server named[8143]: compiled with libjson-c version: 0.12.1 Feb 11 15:53:50 server named[8143]: linked to libjson-c version: 0.12.1 Feb 11 15:53:50 server named[8143]: threads support is enabled Feb 11 15:53:50 server named[8143]: ---------------------------------------------------- Feb 11 15:53:50 server named[8143]: BIND 9 is maintained by Internet Systems Consortium, Feb 11 15:53:50 server named[8143]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Feb 11 15:53:50 server named[8143]: corporation. Support and training for BIND 9 are Feb 11 15:53:50 server named[8143]: available at https://www.isc.org/support Feb 11 15:53:50 server named[8143]: ---------------------------------------------------- Feb 11 15:53:50 server named[8143]: adjusted limit on open files from 524288 to 1048576 Feb 11 15:53:50 server named[8143]: found 4 CPUs, using 4 worker threads Feb 11 15:53:50 server named[8143]: using 3 UDP listeners per interface Feb 11 15:53:50 server named[8143]: using up to 4096 sockets Feb 11 15:53:50 server named[8143]: loading configuration from '/etc/bind/named.conf' Feb 11 15:53:50 server named[8143]: /etc/bind/named.conf.options:28: '127.0.0.1/8': address/prefix length mismatch Feb 11 15:53:50 server named[8143]: reading built-in trust anchors from file '/etc/bind/bind.keys' Feb 11 15:53:50 server named[8143]: initializing GeoIP Country (IPv4) (type 1) DB Feb 11 15:53:50 server named[8143]: GEO-106FREE 20181108 Build Feb 11 15:53:50 server named[8143]: initializing GeoIP Country (IPv6) (type 12) DB Feb 11 15:53:50 server named[8143]: GEO-106FREE 20181108 Build Feb 11 15:53:50 server named[8143]: GeoIP City (IPv4) (type 2) DB not available Feb 11 15:53:50 server named[8143]: GeoIP City (IPv4) (type 6) DB not available Feb 11 15:53:50 server named[8143]: GeoIP City (IPv6) (type 30) DB not available Feb 11 15:53:50 server named[8143]: GeoIP City (IPv6) (type 31) DB not available Feb 11 15:53:50 server named[8143]: GeoIP Region (type 3) DB not available Feb 11 15:53:50 server named[8143]: GeoIP Region (type 7) DB not available Feb 11 15:53:50 server named[8143]: GeoIP ISP (type 4) DB not available Feb 11 15:53:50 server named[8143]: GeoIP Org (type 5) DB not available Feb 11 15:53:50 server named[8143]: GeoIP AS (type 9) DB not available Feb 11 15:53:50 server named[8143]: GeoIP Domain (type 11) DB not available Feb 11 15:53:50 server named[8143]: GeoIP NetSpeed (type 10) DB not available Feb 11 15:53:50 server named[8143]: using default UDP/IPv4 port range: [32768, 60999] Feb 11 15:53:50 server named[8143]: using default UDP/IPv6 port range: [32768, 60999] Feb 11 15:53:50 server named[8143]: listening on IPv6 interfaces, port 53 Feb 11 15:53:50 server named[8143]: listening on IPv4 interface lo, 127.0.0.1#53 Feb 11 15:53:50 server named[8143]: listening on IPv4 interface eth1, 192.168.0.1#53 Feb 11 15:53:50 server named[8143]: listening on IPv4 interface br0, 192.168.178.2#53 Feb 11 15:53:50 server named[8143]: generating session key for dynamic DNS Feb 11 15:53:50 server named[8143]: mdb_env_open of '_default.nzd' failed: Permission denied Feb 11 15:53:50 server named[8143]: loading configuration: failure Feb 11 15:53:50 server named[8143]: exiting (due to fatal error) Feb 11 15:53:50 server systemd[1]: bind9.service: Control process exited, code=exited, status=1/FAILURE Feb 11 15:53:50 server systemd[1]: bind9.service: Failed with result 'exit-code'. Feb 11 15:53:50 server kernel: [ 825.720093] audit: type=1400 audit(1549896830.180:45): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" name="/var/cache/bind/_default.nzd-lock" pid=8143 comm="isc-worker0002" requested_mask="k" denied_mask="k" fsuid=118 ouid=118 Feb 11 15:53:50 server kernel: [ 825.720099] audit: type=1400 audit(1549896830.180:46): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" name="/var/cache/bind/_default.nzd-lock" pid=8143 comm="isc-worker0002" requested_mask="k" denied_mask="k" fsuid=118 ouid=118 Feb 11 15:53:50 server systemd[1]: Failed to start BIND Domain Name Server. ---- -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/