Master file permission denied
Hika van den Hoven
hikavdh at gmail.com
Fri Jun 30 03:51:23 UTC 2023
Hoi Daniel,
How about setting ownership correctly. I see a mix of ownerships and
to my knowledge it should all be owned by bind.bind. Not root.bind or
root.root or bind.root. And then you can reset permissions on the
files back to 644 or 640. For the directories it should be 755 or 750.
(As to linux a directory is a file the x is needed to parse(execute)
it.)
Thus giving the bind user and only the bind user (and root) exclusive
write access.
Whether you want them world readable is a matter of preference, I
don't think it is needed. Any user needing read access should be made
member of the bind group.
Thursday, June 29, 2023, 11:48:37 PM, you wrote:
> And you were right...
> Since the zone was not being signed, I enabled the logs for
> dnssec, and found this error message:
>
> dnssec: zone unau.edu.ar/IN (signed):
> zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
> dnssec: zone unau.edu.ar/IN (signed): zone_rekey failure:
> error occurred writing key to disk (retry in 600 seconds)
>
> So, to bypass it had to change permissions of my
> /var/cache/bind/keys directory to rwxrwxr-- (774) and all the files therein to rw-rw-r-- (664).
>
>
>
>
> One step closer, thanks to all :-). Best regards
>
>
>
>
>
>
> El 29/6/23 a las 03:16, Matthijs Mekking escribió:
>
> I suspect permissions on the key-directory are not yet correct:
>
> key-directory "/var/cache/bind/keys";
>
> On 6/28/23 22:35, Daniel Armando Rodriguez via bind-users wrote:
>
> However, as soon as I added this
>
> dnssec-policy "default";
> inline-signing yes;
>
> Error came up again :-(
>
>
>
Tot mails,
bind userlist mailto:bind-users at lists.isc.org
"Zonder hoop kun je niet leven
Zonder leven is er geen hoop
Het eeuwige dilemma
Zeker als je hoop moet vernietigen om te kunnen overleven!"
De lerende Mens
--
More information about the bind-users
mailing list