nsd users - Jan 2024 - error: cannot write zone : Permission denied

Hello,

NSD 4.8.0 running on FreeBSD 13.2-RELEASE-p9 and serving both plain
and DNSSEC signed zones.

I noticed Permission denied errors in the logs for all domains listed
in nsd.conf:

[2024-01-12 12:20:05.710] nsd[8655]: info: writing zone
domain-plain.org to file domain-plain.org
[2024-01-12 12:20:05.710] nsd[8655]: error: cannot write zone
domain-plain.org file domain-plain.org~: Permission denied
[2024-01-12 12:20:05.710] nsd[8655]: info: writing zone
domain-signed.org to file domain-signed.org
[2024-01-12 12:20:05.710] nsd[8655]: error: cannot write zone
domain-signed.org file domain-signed.org~: Permission denied

# cat /usr/local/etc/nsd/nsd.conf

server:
        ip-address: 192.168.2.1
        do-ip4: yes
        do-ip6: no
        verbosity: 2
        chroot: "/usr/local/etc/nsd"
        zonesdir: "/usr/local/etc/nsd"
        zonelistfile: "zone.list"
        database: "var/db/nsd/nsd.db"
        logfile: "/var/log/nsd.log"
        pidfile: "var/run/nsd.pid"
        xfrdfile: "var/db/nsd/xfrd.state"
        xfrdir: "var/db/nsd/"
        hide-version: yes

key:
        name: "tsig.upu.sha256.plain"
        algorithm: hmac-sha256
        secret: "xxx"

key:
        name: "tsig.upu.sha256.signed"
        algorithm: hmac-sha256
        secret: "xxx"

pattern:
        name: "from-master"
        zonefile: "%s"
        request-xfr: AXFR 192.168.7.4 tsig.upu.sha256.plain
        allow-notify: 192.168.7.4 tsig.upu.sha256.plain

pattern:
        name: "from-signer"
        zonefile: "%s"
        request-xfr: AXFR 192.168.7.4 tsig.upu.sha256.signed
        allow-notify: 192.168.7.4 tsig.upu.sha256.signed

zone:
        name: "domain-plain.org"
        include-pattern: "from-master"

zone:
        name: "domain-signed.org"
        include-pattern: "from-signer"

Permissions seems to be fine:

# ls -al /usr/local/etc/nsd/
total 60
drwxr-xr-x   3 nsd   nsd      512 Jan 12 11:01 .
drwxr-xr-x  10 root  wheel    512 Dec 15 10:56 ..
-rw-r--r--   1 nsd   nsd     8226 Jan 12 14:21 nsd.conf
-rw-r--r--   1 nsd   nsd    18204 Dec 27 14:54 nsd.conf.sample
-rw-------   1 nsd   nsd     2459 Jul 11  2023 nsd_control.key
-rw-r-----   1 nsd   nsd     1395 Jul 11  2023 nsd_control.pem
-rw-------   1 nsd   nsd     2455 Jul 11  2023 nsd_server.key
-rw-r-----   1 nsd   nsd     1529 Jul 11  2023 nsd_server.pem
drwxr-xr-x   5 nsd   nsd      512 Jul 11  2023 var

# ls -al /usr/local/etc/nsd/var/db/nsd/
total 2740
drwxr-xr-x  3 nsd  nsd      512 Jan 12 14:28 .
drwxr-xr-x  3 nsd  nsd      512 Jul 11  2023 ..
drwx------  2 nsd  nsd      512 Jan 12 14:29 nsd-xfr-9851
-rw-------  1 nsd  nsd  2693632 Dec 29 14:14 nsd.db
-rw-r--r--  1 nsd  nsd    40754 Jan 12 14:28 xfrd.state

I don't know whether this is relevant, but nsd.db stopped updating
after I updated the version of NSD to 4.8.0.

Just to mention that the server is serving zones without any issues,
so I'm not quite sure where these domain.org~ files fail to be written
(there is tilde at the end).  Is this because I'm getting zones via
AXFR?

Thank you.

On 12/01/2024 14:46, Roman Serbski via nsd-users wrote:

Hi Roman,

You have a config problem. See below.
> server:
>          ip-address: 192.168.2.1
>          do-ip4: yes
>          do-ip6: no
>          verbosity: 2
>          chroot: "/usr/local/etc/nsd"
>          zonesdir: "/usr/local/etc/nsd"
This "zonesdir" is where NSD wants to write plain text zone files, but
it is not writable by the "nsd" user. You should change this to 
/usr/local/etc/nsd/var, which appears to be writable by "nsd".
>          zonelistfile: "zone.list"
>          database: "var/db/nsd/nsd.db"
The "database" option is silently ignored. NSD 4.8.0 has dropped the 
database features altogether, and it only saves zone data to plain text 
files.

Regards,
Anand