question on minimal file permissions

[hostmaster at g-net.be]

On Mon, 2011-04-18 at 11:47 +0100, Tony Finch wrote:
> hostmaster at g-net.be <hostmaster at g-net.be> wrote:
> >
> > The reason I ask is because I'm setting up a DNS sec server and for easy
> > key rollover and manageability I have created several new directories on
> > a usb stick for example. Key files and zone files now all have 774
> > permissions , owned by bind:bind , but I was wondering from a security
> > point of view if this is correct ?
> 
> Zone files that are managed by bind need to be writable by BIND (mode 644
> and owned by BIND). BIND does not (yet) create keys itself so the key
> files only need to be readable by BIND.
> 
> Tony.

Hi, 

When I set my key directory permissions like this : 

--> root at nssec:/dnskeys# ls -als

4 dr--r--r--  2 bind bind 4096 2011-04-18 14:50 .
4 drwxr-xr-x 26 root root 4096 2011-04-01 12:38 ..
4 -r--r--r--  1 bind bind  462 2011-04-18 14:15 Kzone.be.+008+11754.key
4 -r--r--r--  1 bind bind 1060 2011-04-18 14:15 Kzone.be.+008
+11754.private
4 -r--r--r--  1 bind bind  636 2011-04-18 14:16 Kzone.be.+008+25774.key
4 -r--r--r--  1 bind bind 1824 2011-04-18 14:16 Kzone.be.+008
+25774.private

and when I configure my zone like this in named.conf.local : 

zone "zone.be" {
        type master;
        file "/dnszones/db.zone.be.signed";
        auto-dnssec maintain;
        key-directory "/dnskeys/";
        sig-validity-interval 1;

I get the following message in my logs : 

Apr 18 15:00:53 nssec named[3508]: /etc/bind/named.conf.local:25:
'auto-dnssec maintain;' requires dynamic DNS to be configured in the
zone
Apr 18 15:00:53 nssec named[3508]: loading configuration: failure
Apr 18 15:00:53 nssec named[3508]: exiting (due to fatal error)

( by the way , I have disabled apparmor globally on my Ubuntu server for
now )

Is this due to my mistake ? Or permission related ? 

Thx