From c50b1f547d98aeed2b0e7caab9c8a7c53c9085f3 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 6 Jan 2016 16:24:58 +0100
Subject: [PATCH] Add notes about ProtectSystem

Closes #3111
---
 contrib/systemd-pdns.service                      | 2 ++
 docs/markdown/authoritative/modes-of-operation.md | 1 +
 2 files changed, 3 insertions(+)

diff --git a/contrib/systemd-pdns.service b/contrib/systemd-pdns.service
index d1cbb022b..0daa776fd 100644
--- a/contrib/systemd-pdns.service
+++ b/contrib/systemd-pdns.service
@@ -13,6 +13,8 @@ PrivateTmp=true
 PrivateDevices=true
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
 NoNewPrivileges=true
+# ProtectSystem=full will disallow write access to /etc and /usr, possibly
+# not being able to write slaved-zones into sqlite3 or zonefiles.
 ProtectSystem=full
 ProtectHome=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/docs/markdown/authoritative/modes-of-operation.md b/docs/markdown/authoritative/modes-of-operation.md
index 976d1e2a7..9ba708b35 100644
--- a/docs/markdown/authoritative/modes-of-operation.md
+++ b/docs/markdown/authoritative/modes-of-operation.md
@@ -34,6 +34,7 @@ This is truly an override and sends a notification to an arbitrary IP address. C
 On launch, PDNS requests from all backends a list of domains which have not been checked recently for changes. This should happen every '**refresh**' seconds, as specified in the SOA record. All domains that are unfresh are then checked for changes over at their master. If the [SOA](../types.md#soa) serial number there is higher, the domain is retrieved and inserted into the database. In any case, after the check the domain is declared 'fresh', and will only be checked again after '**refresh**' seconds have passed.
 
 **Warning**: Slave support is OFF by default, turn it on by adding [`slave`](settings.md#slave) to the configuration.
+**Note**: When running PowerDNS via the provided systemd service file, [`ProtectSystem`](http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=) is set to `full`, this means PowerDNS is unable to write to e.g. `/etc` and `/home`, possibly being unable to write AXFR's zones.
 
 PDNS also reacts to notifies by immediately checking if the zone has updated and if so, retransfering it.
 
-- 
2.40.0