TSIG with BIND requires chmod+chgrp /etc/namedb
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Nov 1 21:55:48 UTC 2002
>
> On 1 Nov 2002 at 10:22, Cricket Liu wrote:
>
> >
> > Dan Langille wrote:
> > > It appears that using TSIG with BIND for secondary domains requires a
> > > chmod and chgrp of /etc/namedb.
> > >
> > > I've been adding TSIG to varioius domains. But I've found that on my
> > > slave servers, I've had to set the directory permissions as this:
> > >
> > > $ ls -ld /etc/namedb/
> > > drwxrwxr-x 4 root bind 512 Oct 15 09:26 /etc/namedb/
> > > $ ls -ld /etc/namedb/secondary/
> > > drwxr-x--- 2 bind bind 512 Oct 15 09:25 /etc/namedb/secondary/
> > >
> > > The original permissions on /etc/namedb are:
> > > drwxr-xr-x 2 root wheel 512 Mar 9 2002 /etc/namedb
> > >
> > > named is running as: /usr/sbin/named -u bind -g bind
> > >
> > > Some bits from /etc/namedb/named.conf:
> > >
> > > options {
> > > directory "/etc/namedb";
> > >
> > > I don't really liked having to change the permission of /etc/namedb
> > > especially as that will be necessary for people runnning secondary
> > > DNS for me.
> > >
> > > Any comments/suggestions?
> > >
> > > [I'm using named 8.3.3-REL on FreeBSD 4.6-stable]
> >
> > I don't see why TSIG would require that the name server be able to
> > write to the working directory. The name server would need to be
> > able to read the named.conf file or whatever file contained the key
> > definition, but that's it.
>
> It sounds like you do not believe me.... ;)
>
>
> Unless I do those chmod's, I get these errors:
>
> PLEASE note, these chmod's are required on the slave servers, not the
> master server.
> --
> Dan Langille
>
>
The temporary file is used to pass the TSIG's to named-xfer.
Feel free to submit a patch which puts the temporary file in
the same directory as the file used to cache the zone. Remember
not all slave zones have a cache file.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list