permissions for DNSSEC zone signing

David Newman dnewman at networktest.com
Tue Jul 23 23:48:40 UTC 2013



On 7/23/13 3:44 PM, Mark Andrews wrote:
> In message <51EF00AF.4090204 at networktest.com>, David Newman writes:
>> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
>>
>> What are the correct directory and file permissions for DNSSEC static
>> zone signing with bind?
>>
>> By default, everything in /var/named/etc/namedb is owned by bind except
>> for the master directory. For example:
>>
>> drwxr-xr-x bind wheel dynamic
>> drwxr-xr-x bind bind managed-keys
>> drwxr-xr-x root wheel master
>> -rw-r--r-- bind wheel named.conf
>> -rw-r--r-- bind wheel named.root
>> -r--r--r-- bind wheel rndc.conf
>> drwxr-xr-x bind wheel slave
>> drwxr-xr-x bind wheel working
>>
>> Without DNSSEC, this is fine. With DNSSEC enabled, there are permissions
>> errors in /var/log/messages after restarting named, because bind can't
>> create the jnl/jbk/signed files. For example:
>>
>> Jul 23 14:57:16 hostname named[42000]: master/example.org.db.jbk:
>> create: permission denied
>>
>> Here are the DNSSEC-specific bits from named.conf:
>> options {
>> 	..
>>         managed-keys-directory "/etc/namedb/managed-keys";
>>         dnssec-enable yes;
>>         dnssec-lookaside auto;
>>         dnssec-validation auto;
>> 	..
>> }
>>
>> zone "example.org" {
>>         type master;
>>         file "master/example.org.db";
>>         allow-query { any; };
>>         allow-transfer { xfer; };
>>         key-directory "/etc/namedb/managed-keys";
>>         inline-signing yes;
>>         auto-dnssec maintain;
>> };
>>
>> There is a valid KSK and ZSK for this zone in managed-keys.
>>
>> Changing ownership of the master directory results in a complaint when
>> restarting named that master wants to be owned by root.
> 
> Rename the file to "dynamic/example.org.db" and update named.conf.
> The directory "dynamic" has permissions set up for dynamic master files
> which this zone is.

Thanks, Mark!

This is a *static* zone file but signing works as expected if:

1. the zone file is set up in a directory which bind can write to (e.g.,
/var/named/etc/namedb/dynamic, even for static zones); and

2. the zone file's serial number increments. (named did not create a
filename.jnl file until I incremented the zone file's serial number.)

Thanks very much for sorting out this permissions problem.

dn


> 
>> Thanks in advance for clues on sorting out this permissions problem.
>>
>> dn
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>  from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list