EDIT: oops, AppArmor, not SELinux...
Look at /etc/apparmor.d/usr.sbin.named
There's a section that looks like this:
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,
I suggest adding this afterwards (or possibly replacing it with this):
/var/lib/named/etc/bind/** r,
/var/lib/named/var/lib/bind/** rw,
/var/lib/named/var/lib/bind/ rw,
/var/lib/named/var/cache/bind/** rw,
/var/lib/named/var/cache/bind/ rw,
QUERY What could be going wrong here?
A couple of things are conspiring against you. :-(
The file /etc/resolv.conf could be a problem; its domain line gets set to an inappropriate
value when I reboot.
How is your /etc/resolv.conf being created/populated?
My guess is that your IP address is being assigned by a DHCP server. As part of the IP address assignment, your DHCP client is rewriting /etc/resolv.conf with the domain and nameserver assigned by the DHCP server. Hence, the "inappropriate" value after you reboot.
NSLOOKUP OUTPUT nslookup gives the SERVER address of the default name server, but says
"can't find workshop: NX domain."
This is because your default DNS server is not your local DNS server -- it is one of the DNS servers assigned to you by the DHCP server. This "other" DNS server does not know about your domain.
But nslookup still doesn't work after I edit the line to "domain example.net" and restart
bind9.
That's because you need to add your local DNS server to the list of nameservers in /etc/resolv.conf. Immediately before any other nameserver entry, add ...
nameserver 127.0.0.1
Now, when you use nslookup, your local DNS server should be your default DNS server. nslookup should now be able to resolve "workshop".
UPDATE Here is the output of dig: Command: dig A @workshop workshop.example.net
This confirms that you have your domain correctly configured on your local bind DNS server.
As you've already experienced, your changes to /etc/resolv.conf will be overwritten the next time you reboot. You have two options:
Reconfigure your machine to use a static IP. /etc/resolv.conf won't be overwritten anymore, so your changes will persist after a reboot.
Reconfigure your DHCP client so that it does not overwrite /etc/resolv.conf. This thread should point you in the right direction.
Best Answer
No, there is no tool/option that really does what you want.
named-checkconf -pprints the full user configuration but does not show the full effective configuration (including defaults).You can find the default configuration for
optionsinbin/named/config.cin the BIND codebase, BUT some configuration parameters are interdependent, where overriding one affects others as well (see egallow-queryandallow-recursion), so the effective configuration is not as simple as just overlaying the user configuration on top of the default config without additional logic.I agree that it would sometimes be useful to have a tool that would print the full effective configuration as
namedwould use it, but there just isn't any option for that currently.The best readily available suggestion I can offer is searching for default in your browser before you start reading through the options in the manual to get every instance of this word highlighted, making it easier to spot the default values as you go along.