permissions for DNSSEC zone signing

Doug Barton dougb at
Wed Jul 24 00:11:21 UTC 2013

On 07/23/2013 04:48 PM, David Newman wrote:
> On 7/23/13 3:44 PM, Mark Andrews wrote:
>> In message <51EF00AF.4090204 at>, David Newman writes:
>>> FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports


>>> zone "" {
>>>          type master;
>>>          file "master/";
>>>          allow-query { any; };
>>>          allow-transfer { xfer; };
>>>          key-directory "/etc/namedb/managed-keys";
>>>          inline-signing yes;
>>>          auto-dnssec maintain;
>>> };
>>> There is a valid KSK and ZSK for this zone in managed-keys.
>>> Changing ownership of the master directory results in a complaint when
>>> restarting named that master wants to be owned by root.
>> Rename the file to "dynamic/" and update named.conf.
>> The directory "dynamic" has permissions set up for dynamic master files
>> which this zone is.
> Thanks, Mark!
> This is a *static* zone file but signing works as expected if:
> 1. the zone file is set up in a directory which bind can write to (e.g.,
> /var/named/etc/namedb/dynamic, even for static zones); and
> 2. the zone file's serial number increments. (named did not create a
> filename.jnl file until I incremented the zone file's serial number.)

The zone may be static but the "auto-dnssec maintain" process is 
equivalent to the dynamic updates process, so that is the correct 

Doug (who set up the permissions for named in FreeBSD ages ago)

More information about the bind-users mailing list