managed-keys.bind's directory problem

fujiwara at fujiwara at
Thu Dec 10 07:22:42 UTC 2009

I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).

The named tried to write "managed-keys.bind" file into the named's
working directory.

The current BIND 9 requires the working directory is writable by named
(From ARM). But I think the working directory should not be writable
by named and some OSs' default configuration set the working directory
not writable.

It is usable to avoid named's unknown BUG which may break the working

For example, FreeBSD changes the working directory's
owner/group/permission configured by /etc/mtree/BIND.chroot.dist and
it sets the working directory not writable by named.

I changed /etc/mtree/BIND.chroot.dist in my FreeBSD box, but I don't
like this solution.

I'm very happy if I can change the managed-keys.bind path.

>From BIND 9.7.0b3 ARM:

  In the current implementation, the managed keys database is stored
  as a master-format zone file called managed-keys.bind. When the key
  database is changed, the zone is updated. As with any other dynamic
  zone, changes will be written into a journal file,
  managed-keys.bind.jnl. They are committed to the master file as soon
  as possible afterward; in the case of the managed key database, this
  will usually occur within 30 seconds. So, whenever named is using
  automatic key maintenace, those two files can be expected to exist
  in the working directory. (For this reason among others, the working
  directory should be always be writable by named.)

  If the dnssec-lookaside option is set to auto, named will
  automatically initialize a managed key for the zone The
  key that is used to initialize the key maintenance process is built
  into named, and can be overridden from bindkeys-file.


Kazunori Fujiwara, JPRS

More information about the bind-users mailing list