Permissions change after running dnssec-settime bind 9.9.0rc2

[Phil Mayers]

On 02/01/2012 04:56 AM, Evan Hunt wrote:
>> Now the private key is inaccessible to the named process, which is
>> running as user bind. User bind is a member of group bind.
>
> Any time a private key file is rewritten, the mode is changed to 600.

This kind of keyfile nannying annoys me, with other products as well as 
bind. If I've set the perms to 0640, I've done it deliberately; I INTEND 
the group to have read perms on the key. I'm not an idiot.

By all means, *create* new keys with 0600 perms. But blowing away the 
perms on an existing file is just rude.

> There's no rule that it has to be owned by root, though; could you just
> chown it to user bind?

There's no need for the keyfile to be writeable by bind (at the moment, 
at any rate). So root:bind and 0640 seem more appropriate to me.

>
>> Aside from this, is the permissions change made by dnssec-settime a
>> feature or a bug?
>
> I consider it a feature, though opinions may vary.
>

As is probably obvious, I consider it an irritating bug ;o)

Obviously it's trivial to fix, but I feel the current behaviour is 
dangerous; one of these days someone is going to run dnssec-settime and 
forget the chown/chmod, resigning will start to fail and go unnoticed 
and the zone will eventually fall off-net.