TSIG with BIND requires chmod+chgrp /etc/namedb
Cricket Liu
cricket at menandmice.com
Fri Nov 1 17:22:12 UTC 2002
Dan Langille wrote:
> It appears that using TSIG with BIND for secondary domains requires a
> chmod and chgrp of /etc/namedb.
>
> I've been adding TSIG to varioius domains. But I've found that on my
> slave servers, I've had to set the directory permissions as this:
>
> $ ls -ld /etc/namedb/
> drwxrwxr-x 4 root bind 512 Oct 15 09:26 /etc/namedb/
> $ ls -ld /etc/namedb/secondary/
> drwxr-x--- 2 bind bind 512 Oct 15 09:25 /etc/namedb/secondary/
>
> The original permissions on /etc/namedb are:
> drwxr-xr-x 2 root wheel 512 Mar 9 2002 /etc/namedb
>
> named is running as: /usr/sbin/named -u bind -g bind
>
> Some bits from /etc/namedb/named.conf:
>
> options {
> directory "/etc/namedb";
>
> I don't really liked having to change the permission of /etc/namedb
> especially as that will be necessary for people runnning secondary
> DNS for me.
>
> Any comments/suggestions?
>
> [I'm using named 8.3.3-REL on FreeBSD 4.6-stable]
I don't see why TSIG would require that the name server be able to
write to the working directory. The name server would need to be
able to read the named.conf file or whatever file contained the key
definition, but that's it.
cricket
Men & Mice
DNS Software, Training and Consulting
www.menandmice.com
The DNS and BIND Cookbook, available now!
http://www.oreilly.com/catalog/dnsbindckbk/
More information about the bind-users
mailing list