DNSSEC policy using wrong directory?
Mike
debian at good-with-numbers.com
Mon Aug 25 03:37:56 UTC 2025
Mark Andrews wrote:
> Just put the zone file somewhere named can do that.
OK, thanks, that works. I see you answer this every few years.
For secured environments, it'd be better if BIND copied the file over to the
working directory itself. In a typical OCI/Docker image, the configuration
will be in the image, unmodifiable; but the state-carrying directories will
be on a storage server.
I hacked it by creating an entrypoint script to do just that.
But I don't see it modifying or replacing the zone file anyway. Is it
expected to do that? The file is owned by root and isn't modifiable by the
`bind` user, but BIND has write permission on the directory.
BIND seems to be keeping its own recollection of the zone's serial number,
incrementing it with every restart or key signing.
More information about the bind-users
mailing list