Using bind 9.8.2 on RHEL 6.5, running chroot'd.
I have a zone file that includes other files (it's a zone with a large number of servers in different datacenters, and there's one included file per datacenter).
The zone files and the included files are in
/var/named/chroot/var/named/zones/master/example.com
/var/named/chroot/var/named/zones/master/lax01
The include files are referenced in the zone file relative to the chroot'd directory:
$INCLUDE zones/master/lax01
When trying to use dnssec-signzone to sign the zone, there's an error since it cannot seem to load the included file.
# cd /var/named/chroot/var/named/zones/master
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) \
-N INCREMENT -o example.com -t example.com
dnssec-signzone: error: dns_master_load: example.com:287: zones/master/lax01: file not found
dnssec-signzone: fatal: failed loading zone from 'example.com': file not found
Is there some better way to reference the path for the INCLUDE directive? I don't see a way to instruct dnssec-signzone to take the chroot directive into account. Do I need to do this from a different directory and reference the paths differently?
Best Answer
I don't think your chroot has anything to do with this. Even without a chroot, I would still expect that command to fail.
dnssec-signzoneis not reading fromnamed.confand has no awareness of the working directory specified via thedirectoryoption.Given that this is the case, all included files will need to be relative to your current working directory. The command should work as expected if you execute it like this instead:
Note that the directory we changed to is effectively the working directory of your BIND server at runtime.