Permissions change after running dnssec-settime bind 9.9.0rc2
Spain, Dr. Jeffry A.
spainj at countryday.net
Wed Feb 1 04:12:59 UTC 2012
I ran dnssec-settime from bind 9.9.0rc2 today to change the metadata on two of my ZSKs. Before running dnssec-settime, using one of these keys as an example, the file permissions were:
-rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key
-rw-r----- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private
Afterwards the permissions on the private key were changed by dnssec-settime to:
-rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key
-rw------- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private
Now the private key is inaccessible to the named process, which is running as user bind. User bind is a member of group bind.
What do you recommend as a best practice? I could do "chmod 640" on any private keys modified by dnssec-time to fix this, or I could probably do "chown bind:bind" on all the keys and not have to worry about it. Aside from this, is the permissions change made by dnssec-settime a feature or a bug?
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list