bind configuration/setup question

Alan Clegg alan at
Wed Aug 28 17:34:36 UTC 2013

On Aug 28, 2013, at 1:29 PM, Alan Clegg <alan at> wrote:
> I believe that what you are seeing is the result of BIND 9.9 doing more things "automatically", including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file.
> You should be able to use the option "bindkeys-file" to set a location that is writable for this file.

And as soon as I sent this I realized that I'd goofed.  bind.keys is created on install (it is part of the problem, however).

This file contains "managed-keys" statements that I refer to below (and it was supposed to be "keystore" not "keystone" -- spellcheck will be the death of the computer industry).

> It's also going to happen if you use managed-keys, as there is a "keystone" created that needs to be updated.  See the "managed-keys-directory" option.

This is where the problem lies.  The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material.  Set "managed-keys-directory" to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there.

Alan Clegg | +1-919-355-8851 | alan at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the bind-users mailing list