Package: bind9
Version: 1:9.11.4+dfsg-3
Severity: grave
Justification: renders package unusable
Dear Maintainer,
bind9 9.11.4+dfsg-3's /etc/apparmor.d/usr.sbin.named is missing a comma at the
end of line 33, which
causes apparmor to fail parsing it and in turn deny bind9's access to
/usr/share/dns/root.hints:
Ιουλ 30 10:36:23 hs named[21729]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Ιουλ 30 10:36:23 hs named[21729]: loading configuration: permission denied
Ιουλ 30 10:36:23 hs named[21729]: exiting (due to fatal error)
After adding a comma at this end of this line, bind9 is able to start again:
/usr/share/dns/root.* r
Thank you!
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.17.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8),
LANGUAGE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.117
ii bind9utils 1:9.11.4+dfsg-3
ii debconf [debconf-2.0] 1.5.69
ii dns-root-data 2018013001
ii libbind9-160 1:9.11.4+dfsg-3
ii libc6 2.27-5
ii libcap2 1:2.25-1.2
ii libcom-err2 1.44.3-1
ii libdns1102 1:9.11.4+dfsg-3
ii libfstrm0 0.3.0-1+b1
ii libgeoip1 1.6.12-1
ii libgssapi-krb5-2 1.16-2
ii libisc169 1:9.11.4+dfsg-3
ii libisccc160 1:9.11.4+dfsg-3
ii libisccfg160 1:9.11.4+dfsg-3
ii libjson-c3 0.12.1-1.3
ii libk5crypto3 1.16-2
ii libkrb5-3 1.16-2
ii liblmdb0 0.9.22-1
ii liblwres160 1:9.11.4+dfsg-3
ii libprotobuf-c1 1.2.1-2
ii libssl1.1 1.1.0h-4
ii libxml2 2.9.4+dfsg1-7+b1
ii lsb-base 9.20170808
ii net-tools 1.60+git20161116.90da8a0-2
ii netbase 5.4
ii zlib1g 1:1.2.11.dfsg-1
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
ii dnsutils 1:9.11.4+dfsg-3
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed:
/usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf.local changed:
// // Do any local configuration here //
// Consider adding the 1918 zones here, if they are not used in your //
organization //include "/etc/bind/zones.rfc1918";
include "/etc/bind/ddns.key";
include "/etc/bind/view.main";
include "/etc/bind/view.internet";
include "/etc/bind/view.local";
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
dnssec-validation auto;
check-names master ignore;
allow-transfer {
localhost;
};
notify no;
forwarders {
// 10.1.0.2;
2a02:587:101:0:212:205:212:205;
2a02:587:101:0:195:170:0:1;
212.205.212.205;
195.170.0.1;
};
listen-on-v6 {
any;
// ::1;
// fd11:2358:1321:3401::1;
};
listen-on {
127.0.0.1;
10.1.0.1;
};
};
logging {
channel default_syslog {
syslog daemon;
print-category yes;
};
category general { null; };
category dnssec { null; };
category resolver { null; };
category lame-servers { null; };
category edns-disabled { null; };
category update { null; };
category update-security { null; };
category xfer-in { null; };
category xfer-out { null; };
category notify { null; };
};
-- debconf information:
bind9/different-configuration-file:
bind9/run-resolvconf: false
bind9/start-as-user: bind
