permissions for DNSSEC zone signing

David Newman dnewman at
Tue Jul 23 22:16:15 UTC 2013

FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports

What are the correct directory and file permissions for DNSSEC static
zone signing with bind?

By default, everything in /var/named/etc/namedb is owned by bind except
for the master directory. For example:

drwxr-xr-x bind wheel dynamic
drwxr-xr-x bind bind managed-keys
drwxr-xr-x root wheel master
-rw-r--r-- bind wheel named.conf
-rw-r--r-- bind wheel named.root
-r--r--r-- bind wheel rndc.conf
drwxr-xr-x bind wheel slave
drwxr-xr-x bind wheel working

Without DNSSEC, this is fine. With DNSSEC enabled, there are permissions
errors in /var/log/messages after restarting named, because bind can't
create the jnl/jbk/signed files. For example:

Jul 23 14:57:16 hostname named[42000]: master/
create: permission denied

Here are the DNSSEC-specific bits from named.conf:
options {
        managed-keys-directory "/etc/namedb/managed-keys";
        dnssec-enable yes;
        dnssec-lookaside auto;
        dnssec-validation auto;

zone "" {
        type master;
        file "master/";
        allow-query { any; };
        allow-transfer { xfer; };
        key-directory "/etc/namedb/managed-keys";
        inline-signing yes;
        auto-dnssec maintain;

There is a valid KSK and ZSK for this zone in managed-keys.

Changing ownership of the master directory results in a complaint when
restarting named that master wants to be owned by root.

Thanks in advance for clues on sorting out this permissions problem.


More information about the bind-users mailing list