managed-keys.bind's directory problem
fujiwara at wide.ad.jp
fujiwara at wide.ad.jp
Thu Dec 10 07:22:42 UTC 2009
I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
The named tried to write "managed-keys.bind" file into the named's
working directory.
The current BIND 9 requires the working directory is writable by named
(From ARM). But I think the working directory should not be writable
by named and some OSs' default configuration set the working directory
not writable.
It is usable to avoid named's unknown BUG which may break the working
directory.
For example, FreeBSD changes the working directory's
owner/group/permission configured by /etc/mtree/BIND.chroot.dist and
it sets the working directory not writable by named.
I changed /etc/mtree/BIND.chroot.dist in my FreeBSD box, but I don't
like this solution.
I'm very happy if I can change the managed-keys.bind path.
------------------------------------------------------------------------------
>From BIND 9.7.0b3 ARM:
In the current implementation, the managed keys database is stored
as a master-format zone file called managed-keys.bind. When the key
database is changed, the zone is updated. As with any other dynamic
zone, changes will be written into a journal file,
managed-keys.bind.jnl. They are committed to the master file as soon
as possible afterward; in the case of the managed key database, this
will usually occur within 30 seconds. So, whenever named is using
automatic key maintenace, those two files can be expected to exist
in the working directory. (For this reason among others, the working
directory should be always be writable by named.)
If the dnssec-lookaside option is set to auto, named will
automatically initialize a managed key for the zone dlv.isc.org. The
key that is used to initialize the key maintenance process is built
into named, and can be overridden from bindkeys-file.
---------------------------------------------------------------------------
--
Kazunori Fujiwara, JPRS
More information about the bind-users
mailing list