I run DNS for my own domain (rvdp.org) and it also supports DNSSEC. DNSSEC suddenly stopt working and it turned out that a change in Ubuntu 18.04 apparmor(7) was the reason. In syslog I found this:
Apr 11 06:27:52 kirk named: master/rvdp.org.signed.jnl: open: permission denied Apr 11 06:27:52 kirk named: zone rvdp.org/IN (signed): zone_resigninc:dns_journal_open -> unexpected error Apr 11 06:27:52 kirk kernel: [482718.179540] audit: type=1400 audit(1523420872.843:1628): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/bind/master/rvdp.org.signed.jnl" pid=1463 comm="named" requested_mask="w" denied_mask="w" fsuid=117 ouid=117
The file /etc/apparmor.d/usr.sbin.named has this part:
# /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw,
which means that /etc/bind and its subdirectories are readonly.
I deciced to move my DNSSEC zone files to /var/lib/bind/master which has read-write permissions. This has fixed this problem.