Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
1 Like
This documentation should be updated to reflect some new best practices.
-
/var/lib/bind: DNSSEC zones, and DDNS ones. In other words, primary zones that can receive updates from bind9 tooling itself -
/var/cache/bind: secondaries. It is assumed that they can be purged and a new zone transfer will repopulate them. That being said, they would also be fine in/var/lib/bindin my opinion. - “system” default zones can stay in
/etc/bind, like localhost, 127.0.0.1, and alike.
Placing zones in /etc/bind only works if they are really static in terms of not receiving updates from bind or associated tooling. DNSSEC zones will receive automated periodic changes, as will DDNS zones. The /etc/bind directory does not allow the bind user to write to it due to a) filesystem permissions; b) apparmor profile (which is enforced by default). If someone has a zone in /etc/bind and then decides to enable DNSSEC for it, the file will have to be moved to a writable directory; hence, /var/lib/bind.
And, we need a chapter on DNSSEC, it’s way overdue 
It appears that systemd has changed the command name and systemd-resolve no longer exists. Instead, this command is now “resolvectl status”
Thanks. I just updated it to suggest resolvectl status.