[question] the import function doesnt want to import even though its valid
Summary
I was following the nixos wiki guide for acme validation with bind but i have a problem where bind doesnt want to read the parsed keyfile even though it has access -r-------- 1 named root 121 Nov 17 19:45 /var/lib/secrets/dnskeys.conf
its a valid file, it even works when i manually add the file where it should be.
BIND version used
`BIND 9.18.8 (Stable Release) id:35f5d35 running on Linux x86_64 5.15.75 #1-NixOS SMP Wed Oct 26 10:35:57 UTC 2022 compiled by GCC 11.3.0 compiled with OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 linked to OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 compiled with libuv version: 1.44.2 linked to libuv version: 1.44.2 compiled with libnghttp2 version: 1.49.0 linked to libnghttp2 version: 1.49.0 compiled with libxml2 version: 2.10.2 linked to libxml2 version: 21002 compiled with zlib version: 1.2.12 linked to zlib version: 1.2.12 threads support is enabled DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 DS algorithms: SHA-1 SHA-256 SHA-384 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 TKEY mode 2 support (Diffie-Hellman): yes TKEY mode 3 support (GSS-API): yes
default paths: named configuration: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/named.conf rndc configuration: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/rndc.conf DNSSEC root key: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/bind.keys nsupdate session key: /var/run/named/session.key named PID file: /var/run/named/named.pid named lock file: /var/run/named/named.lock `
Steps to reproduce
Import the Nixos files and run it nixos.zip
What is the current bug behavior?
launch fails
What is the expected correct behavior?
it should import the file and launch as it does if i do it manually
Relevant logs and/or screenshots
named-checkconf -px open: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/named.conf: file not found
Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: Starting BIND Domain Name Server... Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: Started BIND Domain Name Server. Nov 17 20:01:02 scw-heuristic-jennings named[844]: starting BIND 9.18.8 (Stable Release) <id:35f5d35> Nov 17 20:01:02 scw-heuristic-jennings named[844]: running on Linux x86_64 5.15.75 #1-NixOS SMP Wed Oct 26 10:35:57 UTC 2022 Nov 17 20:01:02 scw-heuristic-jennings named[844]: running as: named -u named -c /nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf -f Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled by GCC 11.3.0 Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to OpenSSL version: OpenSSL 3.0.5 5 Jul 2022 Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with libxml2 version: 2.10.2 Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to libxml2 version: 21002 Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with zlib version: 1.2.12 Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to zlib version: 1.2.12 Nov 17 20:01:02 scw-heuristic-jennings named[844]: ---------------------------------------------------- Nov 17 20:01:02 scw-heuristic-jennings named[844]: BIND 9 is maintained by Internet Systems Consortium, Nov 17 20:01:02 scw-heuristic-jennings named[844]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Nov 17 20:01:02 scw-heuristic-jennings named[844]: corporation. Support and training for BIND 9 are Nov 17 20:01:02 scw-heuristic-jennings named[844]: available at https://www.isc.org/support Nov 17 20:01:02 scw-heuristic-jennings named[844]: ---------------------------------------------------- Nov 17 20:01:02 scw-heuristic-jennings named[844]: adjusted limit on open files from 524288 to 1048576 Nov 17 20:01:02 scw-heuristic-jennings named[844]: found 4 CPUs, using 4 worker threads Nov 17 20:01:02 scw-heuristic-jennings named[844]: using 4 UDP listeners per interface Nov 17 20:01:02 scw-heuristic-jennings named[844]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 Nov 17 20:01:02 scw-heuristic-jennings named[844]: DS algorithms: SHA-1 SHA-256 SHA-384 Nov 17 20:01:02 scw-heuristic-jennings named[844]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 Nov 17 20:01:02 scw-heuristic-jennings named[844]: TKEY mode 2 support (Diffie-Hellman): yes Nov 17 20:01:02 scw-heuristic-jennings named[844]: TKEY mode 3 support (GSS-API): yes Nov 17 20:01:02 scw-heuristic-jennings named[844]: config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future Nov 17 20:01:02 scw-heuristic-jennings named[844]: loading configuration from '/nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf' Nov 17 20:01:02 scw-heuristic-jennings named[844]: /nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf:21: parsing failed: file not found Nov 17 20:01:02 scw-heuristic-jennings named[844]: loading configuration: file not found Nov 17 20:01:02 scw-heuristic-jennings named[844]: exiting (due to fatal error) Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: bind.service: Main process exited, code=exited, status=1/FAILURE Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: bind.service: Failed with result 'exit-code'.
`include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};
acl cachenetworks { 127.0.0.0/24; }; acl badnetworks { };
options { listen-on { any; }; listen-on-v6 { any; }; allow-query { cachenetworks; }; blackhole { badnetworks; }; forward first; forwarders { 1.1.1.1; 8.8.8.8; }; directory "/run/named"; pid-file "/run/named/named.pid";
};
include "/var/lib/secrets/dnskeys.conf";
zone "bruno-neumann.com" { type master; file "/nix/store/g06fd0shizzn6mc5zdzcwwc7rxzxzam6-bruno-neumann.com.zone"; allow-transfer {
};
allow-query { any; }; allow-update { key rfc2136key.bruno-neumann.com.; }; };`