Master file permission denied

Daniel Armando Rodriguez drodriguez at unau.edu.ar
Fri Jun 30 11:43:12 UTC 2023 

Hi,

Thanks for pointing that out.
As mentioned before, prior to this dnssec everything was working fine. 
Maybe not in the way it should, but working at last. Now I'm dealing 
with the slave misbeheving. So, as soon as I could reach harmony will 
take care of the permissions.




El 2023-06-30 00:51, Hika van den Hoven escribió:
> Hoi Daniel,
> 
> How about setting ownership correctly. I see a mix of ownerships and
> to my knowledge it should all be owned by bind.bind. Not root.bind or
> root.root or bind.root. And then you can reset permissions on the
> files back to 644 or 640. For the directories it should be 755 or 750.
> (As to linux a directory is a file the x is needed to parse(execute)
> it.)
> Thus giving the bind user and only the bind user (and root) exclusive
> write access.
> Whether you want them world readable is a matter of preference, I
> don't think it is needed. Any user needing read access should be made
> member of the bind group.
> 
> Thursday, June 29, 2023, 11:48:37 PM, you wrote:
> 
>>  And you were right...
> 
>> Since the zone was not being signed, I enabled the logs for
>> dnssec, and found this error message:
>> 
>>   dnssec: zone unau.edu.ar/IN (signed):
>> zone_rekey:dns_dnssec_keymgr failed: error occurred writing key      
>> to disk
>>          dnssec: zone unau.edu.ar/IN (signed): zone_rekey failure:
>> error         occurred writing key to disk (retry in 600 seconds)
>> 
>>        So, to bypass it had to change permissions of my
>> /var/cache/bind/keys directory to rwxrwxr-- (774) and all the       
>> files therein to rw-rw-r-- (664).
>> 
>> 
> 
>> 
>> 
>> One step closer, thanks to all :-). Best regards
>> 
>> 
> 
>> 
>> 
> 
>> 
>> 
>> El 29/6/23 a las 03:16, Matthijs       Mekking escribió:
>> 
>> I suspect       permissions on the key-directory are not yet correct:
>> 
>>            key-directory "/var/cache/bind/keys";
>> 
>>        On 6/28/23 22:35, Daniel Armando Rodriguez via bind-users 
>> wrote:
>> 
>> However, as soon as I added this
>> 
>>                  dnssec-policy "default";
>>                  inline-signing yes;
>> 
>>          Error came up again :-(
>> 
>> 
>> 
> 
> 
> 
> 
> Tot mails,
>  bind userlist                          mailto:bind-users at lists.isc.org
> 
> "Zonder hoop kun je niet leven
> Zonder leven is er geen hoop
> Het eeuwige dilemma
> Zeker als je hoop moet vernietigen om te kunnen overleven!"
> 
> De lerende Mens
> --

-- 
________________________________________________

  Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar

More information about the bind-users mailing list