bind configuration/setup question

mm half mm_half3 at
Thu Aug 29 22:07:00 UTC 2013


None of the files you listed (bind.keys, managed-keys.bind and managed-keys.bind.jnl) are in the bind installation directory, or the chroot that named is run in.   I did add the following line in the named.conf file :

managed-keys-directory "/var/log";   

where /var/log is a writable directory for the userid named is run as.  Re-hit the process with a kill -1  and the same errors are in the log file

also touched blank managed-keys.bind and managed-keys.bind.jnl files in /var/log then re-hit the process with the same results. 

When I change the database directory to an OS writable directory in named.conf with this line in the options block:

directory       "/var/log/namedb";          // Directory where data files are stored

the errors do not show up in the logs, but the database files are now writable to the OS.  Note user permissions are set so the database files in /var/log/namedb and the/var/log/namedb directory is read only for the userid named is run as.

Did I use the correct syntax for the managed-keys-directory options line, or is the problem there is not bind.keys file with the managed-keys statements?   

*****The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed********

 From: Alan Clegg <alan at>
To: mm half <mm_half3 at> 
Cc: "bind-users at" <bind-users at> 
Sent: Wednesday, August 28, 2013 1:34 PM
Subject: Re: bind configuration/setup question

On Aug 28, 2013, at 1:29 PM, Alan Clegg <alan at> wrote:
> I believe that what you are seeing is the result of BIND 9.9 doing more things "automatically", including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file.
> You should be able to use the option "bindkeys-file" to set a location that is writable for this file.

And as soon as I sent this I realized that I'd goofed.  bind.keys is created on install (it is part of the problem, however).

This file contains "managed-keys" statements that I refer to below (and it was supposed to be "keystore" not "keystone" -- spellcheck will be the death of the computer industry).

> It's also going to happen if you use managed-keys, as there is a "keystone" created that needs to be updated.  See the "managed-keys-directory" option.

This is where the problem lies.  The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material.  Set "managed-keys-directory" to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there.

Alan Clegg | +1-919-355-8851 | alan at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list