On 7/23/13 3:44 PM, Mark Andrews wrote:
> In message <51ef00af.4090...@networktest.com>, David Newman writes:
>> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
>>
>> What are the correct directory and file permissions for DNSSEC static
>> zone signing with bind?
>>
>> By default, everything in /var/named/etc/namedb is owned by bind except
>> for the master directory. For example:
>>
>> drwxr-xr-x bind wheel dynamic
>> drwxr-xr-x bind bind managed-keys
>> drwxr-xr-x root wheel master
>> -rw-r--r-- bind wheel named.conf
>> -rw-r--r-- bind wheel named.root
>> -r--r--r-- bind wheel rndc.conf
>> drwxr-xr-x bind wheel slave
>> drwxr-xr-x bind wheel working
>>
>> Without DNSSEC, this is fine. With DNSSEC enabled, there are permissions
>> errors in /var/log/messages after restarting named, because bind can't
>> create the jnl/jbk/signed files. For example:
>>
>> Jul 23 14:57:16 hostname named[42000]: master/example.org.db.jbk:
>> create: permission denied
>>
>> Here are the DNSSEC-specific bits from named.conf:
>> options {
>> ..
>> managed-keys-directory "/etc/namedb/managed-keys";
>> dnssec-enable yes;
>> dnssec-lookaside auto;
>> dnssec-validation auto;
>> ..
>> }
>>
>> zone "example.org" {
>> type master;
>> file "master/example.org.db";
>> allow-query { any; };
>> allow-transfer { xfer; };
>> key-directory "/etc/namedb/managed-keys";
>> inline-signing yes;
>> auto-dnssec maintain;
>> };
>>
>> There is a valid KSK and ZSK for this zone in managed-keys.
>>
>> Changing ownership of the master directory results in a complaint when
>> restarting named that master wants to be owned by root.
>
> Rename the file to "dynamic/example.org.db" and update named.conf.
> The directory "dynamic" has permissions set up for dynamic master files
> which this zone is.
Thanks, Mark!
This is a *static* zone file but signing works as expected if:
1. the zone file is set up in a directory which bind can write to (e.g.,
/var/named/etc/namedb/dynamic, even for static zones); and
2. the zone file's serial number increments. (named did not create a
filename.jnl file until I incremented the zone file's serial number.)
Thanks very much for sorting out this permissions problem.
dn
>
>> Thanks in advance for clues on sorting out this permissions problem.
>>
>> dn
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
