managed-keys.bind's directory problem

Mark Andrews marka at isc.org
Thu Dec 10 14:08:56 UTC 2009 

In message <20091210.162242.460114267490885968.fujiwara at pyon.org>, fujiwara at wid
e.ad.jp writes:
> I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
> 
> The named tried to write "managed-keys.bind" file into the named's
> working directory.
> 
> The current BIND 9 requires the working directory is writable by named
> (From ARM). But I think the working directory should not be writable
> by named and some OSs' default configuration set the working directory
> not writable.

Then those OS's are misconfiguring named.  This has been a requirement
since the BIND 4 days.  It's just named has not complained and there
has been loss of functionality as a result.  On some OS's this is the
only way to get a core file for debugging as there is no way to specify
anything other than the current working directory.

Note there is no requirement for named's config files to be below the
working directory.

../master-files/ or /master-files/ or /var/named/master-files could
all be used instead of ./master-files
 
The working directory does not have to be /var/named.

> It is usable to avoid named's unknown BUG which may break the working
> directory.
> 
> For example, FreeBSD changes the working directory's
> owner/group/permission configured by /etc/mtree/BIND.chroot.dist and
> it sets the working directory not writable by named.
> 
> I changed /etc/mtree/BIND.chroot.dist in my FreeBSD box, but I don't
> like this solution.
>
> I'm very happy if I can change the managed-keys.bind path.

We will look into that.

> -----------------------------------------------------------------------------
> -
> >From BIND 9.7.0b3 ARM:
> 
>   In the current implementation, the managed keys database is stored
>   as a master-format zone file called managed-keys.bind. When the key
>   database is changed, the zone is updated. As with any other dynamic
>   zone, changes will be written into a journal file,
>   managed-keys.bind.jnl. They are committed to the master file as soon
>   as possible afterward; in the case of the managed key database, this
>   will usually occur within 30 seconds. So, whenever named is using
>   automatic key maintenace, those two files can be expected to exist
>   in the working directory. (For this reason among others, the working
>   directory should be always be writable by named.)
> 
>   If the dnssec-lookaside option is set to auto, named will
>   automatically initialize a managed key for the zone dlv.isc.org. The
>   key that is used to initialize the key maintenance process is built
>   into named, and can be overridden from bindkeys-file.
> 
> ---------------------------------------------------------------------------
> 
> --
> Kazunori Fujiwara, JPRS
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list