DNSSEC and nsupdate

[Mark Andrews]

> On 7 Mar 2018, at 3:48 am, Tony Finch <dot at dotat.at> wrote:
> 
> Prof. Dr. Michael Schefczyk <michael at schefczyk.net> wrote:
>> 
>> The issue is that normal permissions in the key-directory are root:bind
>> 0644 for the public key and root:bind 0600 for the private key. The
>> issue disappears when setting the private key to 0644 also and that must
>> be done before starting bind - before using nsupdate is not enough.
>> 
>> Do you know if these permissions are standard or a consequence of
>> starting DNSSEC via webmin?
> 
> By default, `dnssec-keygen` creates private keys with perms 0600, so if
> you run it under a different user than `named`, you need to `chmod g+r`.
> You might also need to `chgrp`, but I put my keys in a g+s directory.
> This is somewhat tiresome. (If webmin has specific support for DNSSEC, I
> would expect it to `chmod` if necessary.)

Or chown as necessary. The user named is running under has to be able to
read the files.

> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Rockall: Cyclonic 5 to 7, occasionally gale 8 later. Rough or very rough.
> Showers. Moderate or good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org