Content-Transfer-Encoding: 8bit
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: iso-8859-2
Content-Length: 1798

Hello,

I mentioned already in ticket for new-zones-directory option we ship
BIND with /var/named directory read-only to named user by default. In
default installation named daemon can write into
/var/named/{data,dynamic,slaves} but not /var/named. Read ticket #44853
for more detailed explanation.

New feature Negative Trust Anchor was added in BIND 9.11 for short term
DNSSEC exceptions. Because there is no configuration option to move NTA
files into different directory, it will always fail to save the file on
Fedora 26+. Because current implementation first opens the file and only
then checks if NTA is even used or non-empty, it will log error on every
shutdown. (Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1487823)

I attached patch to provide configuration option to save nta files into
custom subdirectory. That would allow stored NTA to be permanently saved
into subdirectory where writing is allowed.

It is a little unfortunate that it will try to save exceptions only on
shutdown. If saving fails, NTA entries are lost without possibility to
fixing permissions/freeing space and retry. It logs failure, but you can
react next time only. I guess NTA store/loading is still simple to avoid
synchronization and locking problems.

I made a change to populate default view nta_file with NULL value from
dns_view_create(). It is changed after calling dns_view_ntapermanent().
This way internal views (_bind) NTAs are not stored permanently. I think
that should be ok, shouldn't it? Before it always created files for any
view and deleted empty ones afterwards. This change will load, save and
delete only files from views where dns_view_ntapermanent() were called.

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com  PGP: 65C6C973