Ubuntu: cannot write zone example.com file example.com.zone.signed~: Permission denied

[nicheosala]

I use NSD as a secondary name server on Ubuntu. When NSD is asked to write a zone into the zonefile, for example using sudo nsd-control write example.com, journalctl shows the error in the title of this issue:

cannot write zone example.com file example.com.zone.signed~: Permission denied

This is the content of /etc/systemd/system/nsd.service, that is the default Ubuntu systemd file:

[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target

[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d -P ""
ExecReload=+/bin/kill -HUP $MAINPID
# CAP_NET_ADMIN and CAP_NET_RAW required for IP_TRANSPARENT
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
KillMode=mixed
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources

[Install]
WantedBy=multi-user.target

This is the content of my /etc/nsd/nsd.conf:

remote-control:
    control-enable: yes

server:
    ip-address: 0.0.0.0
    ip-address: ::0
    
    verbosity: 1
    log-only-syslog: yes
    
    hide-version: yes
    hide-identity: yes
    minimal-responses: yes
    refuse-any: yes

key:
    name: "mykey"
    algorithm: hmac-sha256
    secret: XXX

zone:
    name: "example.com"
    allow-notify: X.X.X.X mykey
    request-xfr: X.X.X.X mykey

I replaced my real zone name with example.com everywhere.

[wcawijngaards]

The config snippet seems to be missing the 'zonefile' setting. That seems to be important. From the error it would seem that the directory of the zonefile setting is not writable by the server. The ReadWritePaths setting from systemd maybe does not include that directory. Perhaps the directory can be added to the list to writable paths.

[nicheosala]

The zonefile should be located in /etc/nsd. So, I tried adding: zonefile: /etc/nsd/example.com.zone.signed in the zone section, but the error persists.

[wcawijngaards]

Perhaps the server runs under another username, like nsd, sometimes compiled by default. And that username does not have read and write permissions on the /etc/nsd directory? Depends on the owner and permissions of the directory. To make the new temporary file, the file with ~ at the end, it needs write permission on the directory itself, not just read and write permission on the old zonefile.