Re: permissions for DNSSEC zone signing

Tue, 23 Jul 2013 15:46:22 -0700 

In message <51ef00af.4090...@networktest.com>, David Newman writes:
> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
> 
> What are the correct directory and file permissions for DNSSEC static
> zone signing with bind?
> 
> By default, everything in /var/named/etc/namedb is owned by bind except
> for the master directory. For example:
> 
> drwxr-xr-x bind wheel dynamic
> drwxr-xr-x bind bind managed-keys
> drwxr-xr-x root wheel master
> -rw-r--r-- bind wheel named.conf
> -rw-r--r-- bind wheel named.root
> -r--r--r-- bind wheel rndc.conf
> drwxr-xr-x bind wheel slave
> drwxr-xr-x bind wheel working
> 
> Without DNSSEC, this is fine. With DNSSEC enabled, there are permissions
> errors in /var/log/messages after restarting named, because bind can't
> create the jnl/jbk/signed files. For example:
> 
> Jul 23 14:57:16 hostname named[42000]: master/example.org.db.jbk:
> create: permission denied
> 
> Here are the DNSSEC-specific bits from named.conf:
> options {
>       ..
>         managed-keys-directory "/etc/namedb/managed-keys";
>         dnssec-enable yes;
>         dnssec-lookaside auto;
>         dnssec-validation auto;
>       ..
> }
> 
> zone "example.org" {
>         type master;
>         file "master/example.org.db";
>         allow-query { any; };
>         allow-transfer { xfer; };
>         key-directory "/etc/namedb/managed-keys";
>         inline-signing yes;
>         auto-dnssec maintain;
> };
> 
> There is a valid KSK and ZSK for this zone in managed-keys.
> 
> Changing ownership of the master directory results in a complaint when
> restarting named that master wants to be owned by root.

Rename the file to "dynamic/example.org.db" and update named.conf.
The directory "dynamic" has permissions set up for dynamic master files
which this zone is.

> Thanks in advance for clues on sorting out this permissions problem.
> 
> dn
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to