Content-Transfer-Encoding: 8bit content-type: text/plain; charset="utf-8" X-RT-Original-Encoding: iso-8859-2 Content-Length: 1798 Hello, I mentioned already in ticket for new-zones-directory option we ship BIND with /var/named directory read-only to named user by default. In default installation named daemon can write into /var/named/{data,dynamic,slaves} but not /var/named. Read ticket #44853 for more detailed explanation. New feature Negative Trust Anchor was added in BIND 9.11 for short term DNSSEC exceptions. Because there is no configuration option to move NTA files into different directory, it will always fail to save the file on Fedora 26+. Because current implementation first opens the file and only then checks if NTA is even used or non-empty, it will log error on every shutdown. (Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1487823) I attached patch to provide configuration option to save nta files into custom subdirectory. That would allow stored NTA to be permanently saved into subdirectory where writing is allowed. It is a little unfortunate that it will try to save exceptions only on shutdown. If saving fails, NTA entries are lost without possibility to fixing permissions/freeing space and retry. It logs failure, but you can react next time only. I guess NTA store/loading is still simple to avoid synchronization and locking problems. I made a change to populate default view nta_file with NULL value from dns_view_create(). It is changed after calling dns_view_ntapermanent(). This way internal views (_bind) NTAs are not stored permanently. I think that should be ok, shouldn't it? Before it always created files for any view and deleted empty ones afterwards. This change will load, save and delete only files from views where dns_view_ntapermanent() were called. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973