# [solved] Bind permission denied on DDNS Update via DHCP

## Rocky007

Hello,

when a client gets an ip via dhcp i want to update the dns zone as well.

I've et up bind with the zones etc. (no chroot environment) but it says "Permission Denied"...

```

13-Feb-2018 17:45:02.135 update-security: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: signer "dhcp_updater" approved

13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' A 192.168.1.5

13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': adding an RR at 'SGS7.intern.rock.lan' TXT "31736cad8d609e589a58b3efa14718a76c"

13-Feb-2018 17:45:02.135 general: error: pri/intern.rock.lan.jnl: create: permission denied

13-Feb-2018 17:45:02.135 update: info: client @0x7fd49002bcb0 127.0.0.1#11192/key dhcp_updater: updating zone 'intern.rock.lan/IN': error: journal open failed: unexpected error

13-Feb-2018 17:45:03.675 resolver: info: bad cookie from 192.168.178.1#53

```

```

ls -lah /etc/ | grep bind

drwxr-xr-x  2 named    root     4,0K 14. Feb 08:48 bind

```

```

ls -lah /etc/bind

drwxr-xr-x  2 named root  4,0K 14. Feb 08:48 .

drwxr-xr-x 82 root  root  4,0K 14. Feb 08:46 ..

-rw-r-----  1 root  named 3,9K 14. Feb 08:46 bind.keys

lrwxrwxrwx  1 root  root    13 14. Feb 08:46 dyn -> /var/bind/dyn

-rw-r-----  1 root  named 2,2K  9. Feb 08:23 named.conf

-rw-r-----  1 root  named 1,6K  6. Feb 21:11 named.conf.save

lrwxrwxrwx  1 root  root    13 14. Feb 08:46 pri -> /var/bind/pri

-rw-r-----  1 root  named   77  8. Aug 2017  rndc.key

lrwxrwxrwx  1 root  root    13 14. Feb 08:46 sec -> /var/bind/sec

```

```

ls -lah /etc/bind/pri

lrwxrwxrwx 1 root root 13 14. Feb 08:46 /etc/bind/pri -> /var/bind/pri

```

```

ls -lah /var/ | grep bind

drwxrwx---  5 root   named  4,0K 14. Feb 08:46 bind

```

```

ls -lah /var/bind

drwxrwx---  5 root  named 4,0K 14. Feb 08:46 .

drwxr-xr-x 13 root  root  4,0K 11. Dez 20:37 ..

drwxrwx---  2 root  named 4,0K 14. Feb 08:46 dyn

-rw-r--r--  1 named named 1,4K 14. Feb 08:26 managed-keys.bind

-rw-r--r--  1 named named  512 14. Feb 08:26 managed-keys.bind.jnl

-rw-r-----  1 root  named 3,3K 14. Feb 08:46 named.cache

drwxr-x---  2 root  named 4,0K 14. Feb 08:46 pri

lrwxrwxrwx  1 root  root    11 14. Feb 08:46 root.cache -> named.cache

drwxrwx---  2 root  named 4,0K 14. Feb 08:46 sec

```

Last edited by Rocky007 on Fri Feb 16, 2018 9:02 am; edited 2 times in total

----------

## bbgermany

Hi,

you have issues creating a journal file. Can you post your config files please? Maybe there is the issue.

greets, bb

----------

## Rocky007

/etc/hosts

```

# /etc/hosts: Local Host Database

#

# This file describes a number of aliases-to-address mappings for the for

# local hosts that share this file.

#

# The format of lines in this file is:

#

# IP_ADDRESS    canonical_hostname      [aliases...]

#

#The fields can be separated by any number of spaces or tabs.

#

# In the presence of the domain name service or NIS, this file may not be

# consulted at all; see /etc/host.conf for the resolution order.

#

# IPv4 and IPv6 localhost aliases

127.0.0.1       sg1 ns localhost

::1             sg1 ns localhost

```

/etc/conf.d/named

```

# Set various named options here.

#

#OPTIONS=""

# Set this to the number of processors you want bind to use.

# Leave this unchanged if you want bind to automatically detect the number

#CPU="1"

# If you wish to run bind in a chroot:

# 1) un-comment the CHROOT= assignment, below. You may use

#    a different chroot directory but MAKE SURE it's empty.

# 2) run: emerge --config =<bind-version>

#

#CHROOT="/chroot/dns"

# Uncomment to enable binmount of /usr/share/GeoIP

#CHROOT_GEOIP="1"

# Uncomment the line below to avoid that the init script mounts the needed paths

# into the chroot directory.

# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".

#CHROOT_NOMOUNT="1"

# Uncomment this option if you have setup your own chroot environment and you

# don't want/need the chroot consistency check

#CHROOT_NOCHECK=1

# Default pid file location

PIDFILE="${CHROOT}/run/named/named.pid"

# Scheduling priority: 19 is the lowest and -20 is the highest.

# Default: 0

#NAMED_NICELEVEL="0"

# Uncomment rc_named_use/rc_named_after for the database you need.

# Its necessary to ensure the database backend will be started before named.

# MySQL

#rc_named_use="mysql"

#rc_named_after="mysql"

# PostgreSQL

#rc_named_use="pg_autovacuum postgresql"

#rc_named_after="pg_autovacuum postgresql"

# LDAP

#rc_named_use="ldap"

#rc_named_after="ldap"

```

/etc/bind/named.conf

```

acl "xfer" {

        none;

};

acl "trusted" {

        127.0.0.0/8;

        192.168.1.0/24;

        192.168.2.0/24;

        192.168.3.0/24;

        ::1/128;

};

key DHCP_UPDATER {

    algorithm HMAC-MD5.SIG-ALG.REG.INT;

    secret "<pw>";

};

options {

        directory "/var/bind";

        pid-file "/run/named/named.pid";

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 { ::1; };

        listen-on { 127.0.0.1/8; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24;};

        allow-query {

                trusted;

        };

        allow-query-cache {

                trusted;

        };

        allow-recursion {

                trusted;

        };

        allow-transfer {

                none;

        };

        allow-update {

                none;

        };

        forward first;

        forwarders {

                127.0.0.1;              // DNS Local

                192.168.178.1;          // FritzBox

                80.69.96.12;            // UM DNS

                81.210.129.4;           // UM DNS

                8.8.8.8;                // Google Open DNS

                8.8.4.4;                // Google Open DNS

        };

        dnssec-enable yes;

        //dnssec-validation yes;

        dnssec-validation auto;

        //query-source address * port 53;

};

logging {

        channel default_log {

                file "/var/log/named/named.log" versions 5 size 50M;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        category default { default_log; };

        category general { default_log; };

};

controls {

        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { DHCP_UPDATER; };

zone "." in {

        type hint;

        file "/var/bind/named.cache";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        notify no;

};

zone "intern.rock.lan" IN {

        type master;

        file "pri/intern.rock.lan";

        allow-update {

                key DHCP_UPDATER;

        };

};

zone "extern.rock.lan" IN {

        type master;

        file "pri/extern.rock.lan";

        allow-update {

                key DHCP_UPDATER;

        };

};

zone "vpn.rock.lan" IN {

        type master;

        file "pri/vpn.rock.lan";

        allow-update {

                key DHCP_UPDATER;

        };

};

zone "1.168.192.in-addr.arpa" {

        type master;

        file "pri/1.168.192.zone";

        allow-update {

                key DHCP_UPDATER;

        };

};

zone "2.168.192.in-addr.arpa" {

        type master;

        file "pri/2.168.192.zone";

        allow-update {

                key DHCP_UPDATER;

        };

};

zone "3.168.192.in-addr.arpa" {

        type master;

        file "pri/3.168.192.zone";

        allow-update {

                key DHCP_UPDATER;

        };

};

```

/etc/bind/pri/localhost.zone

```

$TTL 1W

@       IN      SOA     localhost. root.localhost.  (

                                      2008122601 ; Serial

                                      28800      ; Refresh

                                      14400      ; Retry

                                      604800     ; Expire - 1 week

                                      86400 )    ; Minimum

@               IN      NS      localhost.

@               IN      A       127.0.0.1

@               IN      AAAA    ::1

```

/etc/bind/pri/intern.rock.lan

```

$TTL    86400

@       IN      SOA     ns.intern.rock.lan. root.intern.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.intern.rock.lan.

        IN      A       192.168.1.1

ns                      IN      A       192.168.1.1

intern.rock.lan.        IN      A       192.168.1.1

```

/etc/bind/pri/1.168.192.zone

```

$TTL    86400

@       IN      SOA     ns.intern.rock.lan. root.intern.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.intern.rock.lan.

1       IN      PTR     ns.intern.rock.lan.

```

/etc/bind/pri/extern.rock.lan

```

$TTL    86400

@       IN      SOA     ns.extern.rock.lan. root.extern.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.extern.rock.lan.

        IN      A       192.168.2.1

ns                      IN      A       192.168.2.1

extern.rock.lan.        IN      A       192.168.2.1

```

/etc/bind/pri/2.168.192.zone

```

$TTL    86400

@       IN      SOA     ns.extern.rock.lan. root.extern.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.extern.rock.lan.

1       IN      PTR     ns.extern.rock.lan.

```

/etc/bind/pri/vpn.rock.lan

```

$TTL    86400

@       IN      SOA     ns.vpn.rock.lan. root.vpn.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.vpn.rock.lan.

        IN      A       192.168.3.1

ns                      IN      A       192.168.3.1

vpn.rock.lan.           IN      A       192.168.3.1

```

/etc/bind/pri/3.168.192.zone

```

$TTL    86400

@       IN      SOA     ns.vpn.rock.lan. root.vpn.rock.lan. (

        20180206 ; Serial

        604800 ; Refresh

        86400 ; Retry

        2419200 ; Expire

        604800 ; Default TTL

)

        IN      NS      ns.vpn.rock.lan.

1       IN      PTR     ns.vpn.rock.lan.

```

----------

## bbgermany

Hi,

everything looks good so far. Can you check the permissions of the files in /etc/bind/pri/? Since when a ddns update is running, the bind service tries to create a .jnl file there for the corresponding zone files.

Is your dhcp server configured for the ddns updates as well? Do you have your dhcp server settings set like in this debian howto: https://wiki.debian.org/DDNS#DHCP_Server_Configuration

greets, bb

----------

## Rocky007

ls -lah /etc/bind/pri

```

drwxr-x--- 2 root named 4,0K 14. Feb 08:46 .

drwxrwx--- 5 root named 4,0K 15. Feb 08:38 ..

-rw-r--r-- 1 root root     0 14. Feb 08:46 .keep_net-dns_bind-0

-rw-r--r-- 1 root named  269  8. Feb 09:03 1.168.192.zone

-rw-r--r-- 1 root named  293  8. Feb 09:03 2.168.192.zone

-rw-r--r-- 1 root root   281  9. Feb 08:23 3.168.192.zone

-rw-r--r-- 1 root root   292  8. Feb 00:21 extern.rock.lan

-rw-r--r-- 1 root named  297  8. Feb 00:20 intern.rock.lan

-rw-r----- 1 root named  426 14. Feb 08:46 localhost.zone

-rw-r--r-- 1 root root   281  9. Feb 08:22 vpn.rock.lan

```

/etc/dhcpd/dhcpd.conf

```

default-lease-time 600;

max-lease-time 7200;

ddns-update-style interim;

ddns-updates on;

update-static-leases on;

deny-client-update;

authoritative;

log-facility local7;

key "DHCP_UPDATER" {

        algorithm HMAC-MD5.SIG-ALG.REG.INT;

        secret "<pw>";

};

zone intern.rock.lan. {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

zone extern.rock.lan. {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

zone 1.168.192.in-addr.arpa. {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

zone 2.168.192.in-addr.arpa {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

subnet 192.168.1.0 netmask 255.255.255.0 {

        range 192.168.1.2 192.168.1.254;

        option routers 192.168.1.1;

        option broadcast-address 192.168.1.255;

        option domain-name "intern.rock.lan";

        option domain-name-servers ns.intern.rock.lan;

        option domain-search "intern.rock.lan";

        ddns-domainname "intern.rock.lan";

        ddns-rev-domainname "1.168.192.in-addr.arpa.";

        deny unknown-clients;

}

subnet 192.168.2.0 netmask 255.255.255.0 {

        range 192.168.2.2 192.168.2.254;

        option routers 192.168.2.1;

        option broadcast-address 192.168.2.255;

        option domain-name "extern.rock.lan";

        option domain-name-servers ns.extern.rock.lan;

        option domain-search "extern.rock.lan";

        ddns-domainname "extern.rock.lan";

        ddns-rev-domainname "2.168.192.in-addr.arpa.";

        allow unknown-clients;

}

host JUPITER {

        hardware ethernet 5c:e0:c5:ef:29:ff;

        fixed-address 192.168.1.3;

        ddns-hostname "JUPITER";

}

host VENUS {

        hardware ethernet c8:9c:dc:d1:b9:ba;

        fixed-address 192.168.1.4;

        ddns-hostname "VENUS";

}

host SGS7 {

        hardware ethernet 8c:f5:a3:7a:19:9c;

        fixed-address 192.168.1.5;

        ddns-hostname "SGS7";

}

host Switch {

        hardware ethernet 8c:3b:ad:1a:f8:81;

        fixed-address 192.168.2.254;

        ddns-hostname "Switch";

}

```

<pw> is the same in both files

----------

## bbgermany

Can you do manual updates via "nsupdate"? Im not quite sure about the permission of your files. Maybe they need a review.

greets, bb

----------

## Rocky007

No i cant...

```

echo "server 127.0.0.1

update add test.extern.rock.lan 3600 IN A 192.168.2.100

send

update add 2.168.192.in-addr.arpa 3600 IN PTR test.extern.rock.lan

send

quit

" | nsupdate -k /etc/bind/rndc.key

```

```

update failed: SERVFAIL

update failed: SERVFAIL

```

```

16-Feb-2018 08:25:49.475 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved

16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100

16-Feb-2018 08:25:49.475 general: error: pri/extern.rock.lan.jnl: create: permission denied

16-Feb-2018 08:25:49.475 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone 'extern.rock.lan/IN': error: journal open failed: unexpected error

16-Feb-2018 08:25:49.476 update-security: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: signer "dhcp_updater" approved

16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.

16-Feb-2018 08:25:49.476 general: error: pri/2.168.192.zone.jnl: create: permission denied

16-Feb-2018 08:25:49.476 update: info: client @0x7fd00c13f1b0 127.0.0.1#29911/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': error: journal open failed: unexpected error

```

----------

## bbgermany

Please change the permissions on /var/bind and all subdirs/files to user and group named. afterwards try again with nsupdate.

greets, bb

----------

## Rocky007

Now it seems to work  :Smile: 

```

16-Feb-2018 09:28:46.212 update-security: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved

16-Feb-2018 09:28:46.212 update: info: client @0x7ff18814d890 127.0.0.1#21646/key dhcp_updater: updating zone 'extern.rock.lan/IN': adding an RR at 'test.extern.rock.lan' A 192.168.2.100

16-Feb-2018 09:28:46.232 update-security: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: signer "dhcp_updater" approved

16-Feb-2018 09:28:46.232 update: info: client @0x7ff188105630 127.0.0.1#21646/key dhcp_updater: updating zone '2.168.192.in-addr.arpa/IN': adding an RR at '2.168.192.in-addr.arpa' PTR test.extern.rock.lan.

```

But in the zone files i can't see the entries for this or is it inserted and removed automatically?

----------

## bbgermany

This can take a while, thats why the ".jnl" files are created. All entries are written to these journal files first and a bit later via a commit to actual zone file.

greets, bb

----------

