Permissions change after running dnssec-settime bind 9.9.0rc2

Spain, Dr. Jeffry A. spainj at
Wed Feb 1 13:04:22 UTC 2012

>> Now the private key is inaccessible to the named process, which is 
>> running as user bind. User bind is a member of group bind.

> Any time a private key file is rewritten, the mode is changed to 600.
> There's no rule that it has to be owned by root, though; could you just chown it to user bind?

>> Aside from this, is the permissions change made by dnssec-settime a 
>> feature or a bug?

> I consider it a feature, though opinions may vary.

After a more careful review of Bv9ARM.pdf, this behavior is documented on p. 150 in the "Description" section of dnssec-settime: "The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600)." In light of some of the other responses to your post, perhaps it would be useful to give this statement greater emphasis typographically in the ARM, e.g. a "Note" box. You might also consider adding the following statement: "We therefore recommend that the owner of all key files be set using the <command>chown</command> utility to the same UID as that under which the named process is running (see <command>named -u</command> in section B.11)." This issue also merits a comment in section 7.2.2 "Using the setuid Function" on page 116. A second and third sentence might read: "Use the <command>chown</command> utility to set the user id of all DNSSEC key files, as these must be readable by <acronym>BIND</acronym>. Note that the mode of private key files will be set to 0600 by <command>dnssec-settime</command> (section B.7)."

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list