permissions for DNSSEC zone signing
David Newman
dnewman at networktest.com
Tue Jul 23 22:16:15 UTC 2013
FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
What are the correct directory and file permissions for DNSSEC static
zone signing with bind?
By default, everything in /var/named/etc/namedb is owned by bind except
for the master directory. For example:
drwxr-xr-x bind wheel dynamic
drwxr-xr-x bind bind managed-keys
drwxr-xr-x root wheel master
-rw-r--r-- bind wheel named.conf
-rw-r--r-- bind wheel named.root
-r--r--r-- bind wheel rndc.conf
drwxr-xr-x bind wheel slave
drwxr-xr-x bind wheel working
Without DNSSEC, this is fine. With DNSSEC enabled, there are permissions
errors in /var/log/messages after restarting named, because bind can't
create the jnl/jbk/signed files. For example:
Jul 23 14:57:16 hostname named[42000]: master/example.org.db.jbk:
create: permission denied
Here are the DNSSEC-specific bits from named.conf:
options {
..
managed-keys-directory "/etc/namedb/managed-keys";
dnssec-enable yes;
dnssec-lookaside auto;
dnssec-validation auto;
..
}
zone "example.org" {
type master;
file "master/example.org.db";
allow-query { any; };
allow-transfer { xfer; };
key-directory "/etc/namedb/managed-keys";
inline-signing yes;
auto-dnssec maintain;
};
There is a valid KSK and ZSK for this zone in managed-keys.
Changing ownership of the master directory results in a complaint when
restarting named that master wants to be owned by root.
Thanks in advance for clues on sorting out this permissions problem.
dn
More information about the bind-users
mailing list