AW: DNSSEC and nsupdate
Tony Finch
dot at dotat.at
Tue Mar 6 16:48:44 UTC 2018
Prof. Dr. Michael Schefczyk <michael at schefczyk.net> wrote:
>
> The issue is that normal permissions in the key-directory are root:bind
> 0644 for the public key and root:bind 0600 for the private key. The
> issue disappears when setting the private key to 0644 also and that must
> be done before starting bind - before using nsupdate is not enough.
>
> Do you know if these permissions are standard or a consequence of
> starting DNSSEC via webmin?
By default, `dnssec-keygen` creates private keys with perms 0600, so if
you run it under a different user than `named`, you need to `chmod g+r`.
You might also need to `chgrp`, but I put my keys in a g+s directory.
This is somewhat tiresome. (If webmin has specific support for DNSSEC, I
would expect it to `chmod` if necessary.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Rockall: Cyclonic 5 to 7, occasionally gale 8 later. Rough or very rough.
Showers. Moderate or good.
More information about the bind-users
mailing list