<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">In addition to what Matthijs said, please make sure that all path components</div><div class="">in /data/chroot/named/keys/dnssec/<a href="http://example.com/" class="">example.com/</a> need to have correct permissions,</div><div class="">this is easy to get wrong. I've burnt on this too many times.</div><div class=""><br class=""></div><div class="">Easiest way how to test is switching to the user that named runs under and try</div><div class="">changing to the directory and checking if you can access the files.</div><div class=""><br class=""></div>Ondrej<br class=""><div class="">
<meta charset="UTF-8" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">--</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Ondřej Surý (He/Him)</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><a href="mailto:ondrej@isc.org" class="">ondrej@isc.org</a></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 14. 10. 2022, at 16:17, PGNet Dev <<a href="mailto:pgnet.dev@gmail.com" class="">pgnet.dev@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">hi<br class=""><br class=""><blockquote type="cite" class="">Think ownership, permission and things like SELinux, AppArmore depending on your OS.<br class=""></blockquote><br class="">on this box, no SELinux or AppArmor<br class=""><br class="">in my named.conf<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">  </span>directory "/namedb/production";<br class=""><br class="">and for my domain's dnssec<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">     </span>key-directory "/keys/dnssec/<a href="http://example.com" class="">example.com</a>";<br class=""><br class="">pathnames are relative to chroot.<br class=""><br class="">here, chroot is @ "/data/chroot/named",<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">       </span>ps aux | grep named<br class=""><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>named    14285  0.0  0.2 526388 67360 ?        Ssl  08:47   0:00 /usr/sbin/named -f -t /data/chroot/named -n 2 -S 1024 -u named -c /etc/named.conf<br class=""><br class="">checking,<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">  </span>ls -al \<br class=""><span class="Apple-tab-span" style="white-space:pre">       </span> /data/chroot/named/namedb/production \<br class=""><span class="Apple-tab-span" style="white-space:pre">        </span> /data/chroot/named/keys/dnssec/<a href="http://example.com/" class="">example.com/</a><br class=""><br class="">access looks ok (?)<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">      </span>/data/chroot/named/keys/dnssec/<a href="http://example.com/:" class="">example.com/:</a><br class=""><span class="Apple-tab-span" style="white-space:pre">       </span><span class="Apple-tab-span" style="white-space:pre">    </span>total 32K<br class=""><span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>drwxr-xr-x 2 named named 4.0K Oct 12 18:09 ./<br class=""><span class="Apple-tab-span" style="white-space:pre">  </span><span class="Apple-tab-span" style="white-space:pre">    </span>drwxr-xr-x 5 named named 4.0K Oct 14 00:22 ../<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  405 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+17296.key<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  215 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+17296.private<br class=""><span class="Apple-tab-span" style="white-space:pre">     </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  572 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+17296.state<br class=""><span class="Apple-tab-span" style="white-space:pre">       </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  455 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+62137.key<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  235 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+62137.private<br class=""><span class="Apple-tab-span" style="white-space:pre">     </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named  556 Oct 13 19:14 <a href="http://Kexample.com" class="">Kexample.com</a>.+013+62137.state<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre">  </span>/data/chroot/named/namedb/production:<br class=""><span class="Apple-tab-span" style="white-space:pre">  </span><span class="Apple-tab-span" style="white-space:pre">    </span>total 16K<br class=""><span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>drwxrwxr-x 2 named named 4.0K Oct 14 08:47 ./<br class=""><span class="Apple-tab-span" style="white-space:pre">  </span><span class="Apple-tab-span" style="white-space:pre">    </span>drwxr-xr-x 5 named named 4.0K Oct 14 08:47 ../<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw------- 1 named named 8.0K Oct 14 08:47 external.nzd<br class=""><span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">    </span>-rw-r----- 1 named named    0 Oct 14 08:47 managed-keys.bind<br class="">-- <br class="">Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br class=""><br class="">ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" class="">https://www.isc.org/contact/</a> for more information.<br class=""><br class=""><br class="">bind-users mailing list<br class=""><a href="mailto:bind-users@lists.isc.org" class="">bind-users@lists.isc.org</a><br class="">https://lists.isc.org/mailman/listinfo/bind-users<br class=""></div></div></blockquote></div><br class=""></body></html>