rndc: 'sign' failed: permission denied
L. Gabriel Somlo
gsomlo at gmail.com
Wed Jul 7 19:24:19 UTC 2010
I've configured bind-9.7.1 with DNSSec and stored the keys online, to
allow dynamic updates via nsupdate. Here are the relevant bits from my
named.conf:
options {
...
dnssec-enable yes;
directory "/var/named/db";
key-directory "/var/named/keys";
...
};
key foo {
algorithm hmac-md5;
secret "XXXXX";
};
view "global" {
zone "example.org" {
type master;
file "example.org.signed";
allow-update {
key foo;
};
};
I have KSK and ZSK pairs for example.org, I can query data from the
zone and get all the DNSSec bits back as expected, everything works
fine. I can even do this on a remote server:
$ nsupdate
server my-example-server.example.org
key foo XXXXX
zone example.org
update add somerecord.example.org 300 A 192.168.0.123
send
And have it work perfectly (i.e. the KSK and ZSK in the key-directory
are found and used by named).
The problem is that, when I attempt
rndc sign example.org
from my server, I get
rndc: 'sign' failed: permission denied
The only thing logged by my server is
07-Jul-2010 15:11:29.614 info: received control channel command 'sign example.org'
No indication as to what "permission" is denied, specifically.
Any ideas as to what I may be doing wrong ?
The server runs as user 'named', and the keys in the key directory are
owned by 'named' with rw permissions (both public and private). This
is also evidenced by the fact that nsupdate works, even from a remote
machine.
Thanks for any ideas,
--Gabriel
More information about the bind-users
mailing list