nsd
nsd copied to clipboard
Published
20 hours ago •
NLnetLabs
NLnetLabs
Ubuntu: cannot write zone example.com file example.com.zone.signed~: Permission denied
I use NSD as a secondary name server on Ubuntu. When NSD is asked to write a zone into the zonefile, for example using sudo nsd-control write example.com, journalctl shows the error in the title of this issue:
cannot write zone example.com file example.com.zone.signed~: Permission denied
This is the content of /etc/systemd/system/nsd.service, that is the default Ubuntu systemd file:
[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target
[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d -P ""
ExecReload=+/bin/kill -HUP $MAINPID
# CAP_NET_ADMIN and CAP_NET_RAW required for IP_TRANSPARENT
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
KillMode=mixed
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources
[Install]
WantedBy=multi-user.target
This is the content of my /etc/nsd/nsd.conf:
remote-control:
control-enable: yes
server:
ip-address: 0.0.0.0
ip-address: ::0
verbosity: 1
log-only-syslog: yes
hide-version: yes
hide-identity: yes
minimal-responses: yes
refuse-any: yes
key:
name: "mykey"
algorithm: hmac-sha256
secret: XXX
zone:
name: "example.com"
allow-notify: X.X.X.X mykey
request-xfr: X.X.X.X mykey
I replaced my real zone name with example.com everywhere.
