[nsd-users] NSD still shows permission errors on Debian 10 Buster
Paul Wouters
paul at nohats.ca
Sat May 9 14:15:57 UTC 2020
Looks like the packager / maintainer needs to add User and Group settings to “nsd” in the systemd service files ?
Sent from my iPhone
> On May 9, 2020, at 01:13, Kaulkwappe via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:
>
> Dear colleagues,
>
> unfortunately NSD 4.1.26 still does not work on Debian 10 Buster due to permission errors.
>
> I have tested it on two fresh Debian 10 Buster installations and I still get this error messages:
>
> > error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr
> > warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
> > error: could not open zone list /var/lib/nsd/zone.list: Permission denied
> > error: could not read zonelist file /var/lib/nsd/zone.list
>
> Please find attached the configuration file I use (in this case for the master, slave is almost the same).
>
> Kind Regards,
> Kaulkwappe
>
> ---
>
> #
> # nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
> #
> # Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
> #
> # See LICENSE for the license.
> #
>
> # This is a comment.
> # Sample configuration file
> # include: "file" # include that file's text over here. Globbed, "*.conf"
>
> # options for the nsd server
> server:
> # Number of NSD servers to fork. Put the number of CPUs to use here.
> # server-count: 1
>
> # uncomment to specify specific interfaces to bind (default are the
> # wildcard interfaces 0.0.0.0 and ::0).
> # For servers with multiple IP addresses, list them one by one,
> # or the source address of replies could be wrong.
> # Use ip-transparent to be able to list addresses that turn on later.
> # ip-address: 1.2.3.4
> # ip-address: 1.2.3.4 at 5678
> # ip-address: 12fe::8ef0
>
> ip-address: 45.***.***.***
> ip-address: 2a03:***:***:***::***
>
> # Allow binding to non local addresses. Default no.
> # ip-transparent: no
>
> # Allow binding to addresses that are down. Default no.
> # ip-freebind: no
>
> # use the reuseport socket option for performance. Default no.
> # reuseport: no
>
> # enable debug mode, does not fork daemon process into the background.
> # debug-mode: no
>
> # listen on IPv4 connections
> do-ip4: yes
>
> # listen on IPv6 connections
> do-ip6: yes
>
> # port to answer queries on. default is 53.
> port: 53
>
> # Verbosity level.
> # verbosity: 0
>
> # After binding socket, drop user privileges.
> # can be a username, id or id.gid.
> username: nsd
>
> # Run NSD in a chroot-jail.
> # make sure to have pidfile and database reachable from there.
> # by default, no chroot-jail is used.
> # chroot: "/etc/nsd"
>
> # The directory for zonefile: files. The daemon chdirs here.
> zonesdir: "/etc/nsd/zones"
>
> # the list of dynamically added zones.
> zonelistfile: "/var/lib/nsd/zone.list"
>
> # the database to use
> # if set to "" then no disk-database is used, less memory usage.
> #database: "/var/lib/nsd/nsd.db"
> database: ""
>
> # log messages to file. Default to stderr and syslog (with
> # facility LOG_DAEMON). stderr disappears when daemon goes to bg.
> logfile: "/var/log/nsd.log"
>
> # File to store pid for nsd in.
> pidfile: "/run/nsd/nsd.pid"
>
> # The file where secondary zone refresh and expire timeouts are kept.
> # If you delete this file, all secondary zones are forced to be
> # 'refreshing' (as if nsd got a notify). Set to "" to disable.
> # xfrdfile: "/var/lib/nsd/xfrd.state"
>
> # The directory where zone transfers are stored, in a subdir of it.
> # xfrdir: "/tmp"
>
> # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
> hide-version: yes
>
> # version string the server responds with for chaos queries.
> # default is 'NSD x.y.z' with the server's version number.
> # version: "NSD"
>
> # identify the server (CH TXT ID.SERVER entry).
> # identity: "unidentified server"
>
> # NSID identity (hex string, or "ascii_somestring"). default disabled.
> # nsid: "aabbccdd"
>
> # Maximum number of concurrent TCP connections per server.
> # tcp-count: 100
>
> # Maximum number of queries served on a single TCP connection.
> # By default 0, which means no maximum.
> # tcp-query-count: 0
>
> # Override the default (120 seconds) TCP timeout.
> # tcp-timeout: 120
>
> # Maximum segment size (MSS) of TCP socket on which the server
> # responds to queries. Default is 0, system default MSS.
> # tcp-mss: 0
>
> # Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
> # Default is 0, system default MSS.
> # outgoing-tcp-mss: 0
>
> # Preferred EDNS buffer size for IPv4.
> # ipv4-edns-size: 4096
>
> # Preferred EDNS buffer size for IPv6.
> # ipv6-edns-size: 4096
>
> # statistics are produced every number of seconds. Prints to log.
> # Default is 0, meaning no statistics are produced.
> #statistics: 3600
>
> # Number of seconds between reloads triggered by xfrd.
> # xfrd-reload-timeout: 1
>
> # log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
> # log-time-ascii: yes
>
> # round robin rotation of records in the answer.
> # round-robin: no
>
> # check mtime of all zone files on start and sighup
> # zonefiles-check: yes
>
> # write changed zonefiles to disk, every N seconds.
> # default is 0(disabled) or 3600(if database is "").
> zonefiles-write: 1800
>
> # RRLconfig
> # Response Rate Limiting, size of the hashtable. Default 1000000.
> # rrl-size: 1000000
>
> # Response Rate Limiting, maximum QPS allowed (from one query source).
> # If set to 0, ratelimiting is disabled. Also set
> # rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
> # Default is on.
> # rrl-ratelimit: 200
>
> # Response Rate Limiting, number of packets to discard before
> # sending a SLIP response (a truncated one, allowing an honest
> # resolver to retry with TCP). Default is 2 (one half of the
> # queries will receive a SLIP response, 0 disables SLIP (all
> # packets are discarded), 1 means every request will get a
> # SLIP response. When the ratelimit is hit the traffic is
> # divided by the rrl-slip value.
> # rrl-slip: 2
>
> # Response Rate Limiting, IPv4 prefix length. Addresses are
> # grouped by netblock.
> # rrl-ipv4-prefix-length: 24
>
> # Response Rate Limiting, IPv6 prefix length. Addresses are
> # grouped by netblock.
> # rrl-ipv6-prefix-length: 64
>
> # Response Rate Limiting, maximum QPS allowed (from one query source)
> # for whitelisted types. Default is on.
> # rrl-whitelist-ratelimit: 2000
> # RRLend
>
> # Remote control config section.
> remote-control:
> # Enable remote control with nsd-control(8) here.
> # set up the keys and certificates with nsd-control-setup.
> control-enable: yes
>
> # what interfaces are listened to for control, default is on localhost.
> control-interface: 127.0.0.1
> #control-interface: ::1
>
> # port number for remote control operations (uses TLS over TCP).
> control-port: 8952
>
> # nsd server key file for remote control.
> server-key-file: "/etc/nsd/nsd_server.key"
>
> # nsd server certificate file for remote control.
> server-cert-file: "/etc/nsd/nsd_server.pem"
>
> # nsd-control key file.
> control-key-file: "/etc/nsd/nsd_control.key"
>
> # nsd-control certificate file.
> control-cert-file: "/etc/nsd/nsd_control.pem"
>
>
> # Secret keys for TSIGs that secure zone transfers.
> # You could include: "secret.keys" and put the 'key:' statements in there,
> # and give that file special access control permissions.
> #
> key:
> # The key name is sent to the other party, it must be the same
> name: "masterkey"
> # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
> algorithm: sha384
> # secret material, must be the same as the other party uses.
> # base64 encoded random number.
> # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
> secret: "***"
>
>
> # Patterns have zone configuration and they are shared by one or more zones.
> #
> pattern:
> # name by which the pattern is referred to
> name: "nsd-api"
> # the zonefile for the zones that use this pattern.
> # if relative then from the zonesdir (inside the chroot).
> # the name is processed: %s - zone name (as appears in zone:name).
> # %1 - first character of zone name, %2 second, %3 third.
> # %z - topleveldomain label of zone, %y, %x next labels in name.
> # if label or character does not exist you get a dot '.'.
> # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
> zonefile: "%s.zone"
>
> # If no master and slave access control elements are provided,
> # this zone will not be served to/from other servers.
>
> # A master zone needs notify: and provide-xfr: lists. A slave
> # may also allow zone transfer (for debug or other secondaries).
> # notify these slaves when the master zone changes, address TSIG|NOKEY
> # IP can be ipv4 and ipv6, with @port for a nondefault port number.
> notify: 95.***.***.*** masterkey
> # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
> # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
> provide-xfr: 95.***.***.*** masterkey
> # set the number of retries for notify.
> #notify-retry: 5
>
> # uncomment to provide AXFR to all the world
> # provide-xfr: 0.0.0.0/0 NOKEY
> # provide-xfr: ::0/0 NOKEY
>
> # A slave zone needs allow-notify: and request-xfr: lists.
> #allow-notify: 2001:db8::0/64 my_tsig_key_name
> # By default, a slave will request a zone transfer with IXFR/TCP.
> # If you want to make use of IXFR/UDP use: UDP addr tsigkey
> # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
> #request-xfr: 192.0.2.2 the_tsig_key_name
> # Attention: You cannot use UDP and AXFR together. AXFR is always over
> # TCP. If you use UDP, we higly recommend you to deploy TSIG.
> # Allow AXFR fallback if the master does not support IXFR. Default
> # is yes.
> #allow-axfr-fallback: yes
> # set local interface for sending zone transfer requests.
> # default is let the OS choose.
> #outgoing-interface: 10.0.0.10
> # limit the refresh and retry interval in seconds.
> #max-refresh-time: 2419200
> #min-refresh-time: 0
> #max-retry-time: 1209600
> #min-retry-time: 0
> # Slave server tries zone transfer to all masters and picks highest
> # zone version available, for when masters have different versions.
> #multi-master-check: no
>
> # limit the zone transfer size (in bytes), stops very large transfers
> # 0 is no limits enforced.
> # size-limit-xfr: 0
>
> # if compiled with --enable-zone-stats, give name of stat block for
> # this zone (or group of zones). Output from nsd-control stats.
> # zonestats: "%s"
>
> # if you give another pattern name here, at this point the settings
> # from that pattern are inserted into this one (as if it were a
> # macro). The statement can be given in between other statements,
> # because the order of access control elements can make a difference
> # (which master to request from first, which slave to notify first).
> #include-pattern: "common-masters"
>
>
> # Fixed zone entries. Here you can config zones that cannot be deleted.
> # Zones that are dynamically added and deleted are put in the zonelist file.
> #
> # zone:
> # name: "example.com"
> # you can give a pattern here, all the settings from that pattern
> # are then inserted at this point
> # include-pattern: "master"
> # You can also specify (additional) options directly for this zone.
> # zonefile: "example.com.zone"
> # request-xfr: 192.0.2.1 example.com.key
>
> # RRLconfig
> # Response Rate Limiting, whitelist types
> # rrl-whitelist: nxdomain
> # rrl-whitelist: error
> # rrl-whitelist: referral
> # rrl-whitelist: any
> # rrl-whitelist: rrsig
> # rrl-whitelist: wildcard
> # rrl-whitelist: nodata
> # rrl-whitelist: dnskey
> # rrl-whitelist: positive
> # rrl-whitelist: all
> # RRLend
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20200509/4dc7bba7/attachment-0001.htm>
More information about the nsd-users
mailing list