BIND and apparmor

Ronald van der Pol
Fri, Apr 13, 2018 - 153 Words - 1 minutes
Categories: Linux DNS

I run DNS for my own domain ( and it also supports DNSSEC. DNSSEC suddenly stopt working and it turned out that a change in Ubuntu 18.04 apparmor(7) was the reason. In syslog I found this:

Apr 11 06:27:52 kirk named[1447]: master/ open: permission denied
Apr 11 06:27:52 kirk named[1447]: zone (signed): zone_resigninc:dns_journal_open -> unexpected error
Apr 11 06:27:52 kirk kernel: [482718.179540] audit: type=1400 audit(1523420872.843:1628): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/bind/master/" pid=1463 comm="named" requested_mask="w" denied_mask="w" fsuid=117 ouid=117

The file /etc/apparmor.d/usr.sbin.named has this part:

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

which means that /etc/bind and its subdirectories are readonly.

I deciced to move my DNSSEC zone files to /var/lib/bind/master which has read-write permissions. This has fixed this problem.