[BIND] RE: KSK Rollover

Petr Mensik pemensik at redhat.com
Fri Sep 7 14:12:09 UTC 2018


Hi,

also a few notes to it.

Dne 7.9.2018 v 04:05 Brent Swingle napsal(a):
> This matter has been resolved with input from Evan.  I was able to add a file path for secroots to the named.conf file and push the output file to a temp directory that was not permission restricted.
> 
> secroots-file "/tmp/named.secroots" ;
Instead, "/var/named/data/named.secroots" or maybe
"/run/named/named.secroots" should be used.

In Fedora, it should already have write access to /var/named directory
itself also from daemon. Should be already for update on supported releases.
> 
> 
> Ultimately when I ran "rndc secroots" it created the output file here:
> 
> /tmp/systemd-private-b2ebff459df9471e8bf444e2d2b1116e-named.service-HX1NF5/tmp/named.secroots
> 
> 
> The data in the file seems to be as desired if I understand the KSK Rollover test correctly, I should see 20326 which pertains to the new key:
> 
> [root at ns3 tmp]# cat named.secroots
> 06-Sep-2018 18:47:16.190
> 
> Start view internal-in
> 
> ./RSASHA256/20326 ; managed
> ./RSASHA256/19036 ; managed
> dlv.isc.org/RSASHA1/19297 ; managed
> 
> Start view external-in
> 
> ./RSASHA256/20326 ; managed
> ./RSASHA256/19036 ; managed
> dlv.isc.org/RSASHA1/19297 ; managed
> 
> Start view external-chaos
> 
> dumpsecroots failed: not found
> 
> 
> 
> 
> I did not fully try Carl's input below but I believe it would have worked as well.  I had performed a "chmod 770 /var/named" but I did not follow it up with the SELinux modification.  The last error I had was SELinux barking so I'd anticipate his suggestion was the correct one.
> 
> Does the 'named' user have write access to /var/named? The default
> redhat setup has /var/named as 0750, with /var/named/data as 0770. Also,
> the default redhat selinux config prevents named writing to /var/named.
> 
> chmod 770 /var/named
> setsebool -P named_write_master_zones=true
> rndc secroots

It should not be required on upcoming RHEL 7 versions.
named_write_master_zones would be turned on by default in next minor
release. Also permissions would be fixed to allow writing by default. It
would save us to replace all paths in config file to write into
/var/named/data subdirectory. I hope also to reduce the confusion.
> 
> 
> 
> 
> Thanks everyone for assisting with this matter.
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973


More information about the bind-users mailing list