DNSSEC setup hint

[Tony Finch]

@lbutlr <kremels at kreme.com> wrote:
>
> key-directory in named.conf refers to the location for the .private key
> files, the .key files need to go with the domain conf files.

In my setup, all the key files (.private and .key) are in the
`key-directory`, all the zone files are in a "zone" directory,
and configuration files are (mostly) in "etc".

I'm not sure why you say the .key files "need" to go anywhere. As I
understand it, `named` doesn't use the .key files, but various other
tools expect them to be next to the .private files.

> Also, though this is more obvious, make sure you set the owner to bind
> for akk the key files, as when you create them they will almost
> certainly be owned by root.

Yes, I keep stubbing my toe on this problem. My `key-directory` is set-gid
`named` so I just need to `chgrp +r` the .private files after doing
anything with them. I'm not sure what is the right way to fix this, since
it's hard for a program to know what the sysadmin's security model for a
group is. Maybe setgid on the directory is enough of a hint? dunno.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
a fair, free and open society