On Mon, 2011-04-18 at 11:47 +0100, Tony Finch wrote:
> hostmas...@g-net.be <hostmas...@g-net.be> wrote:
> >
> > The reason I ask is because I'm setting up a DNS sec server and for easy
> > key rollover and manageability I have created several new directories on
> > a usb stick for example. Key files and zone files now all have 774
> > permissions , owned by bind:bind , but I was wondering from a security
> > point of view if this is correct ?
>
> Zone files that are managed by bind need to be writable by BIND (mode 644
> and owned by BIND). BIND does not (yet) create keys itself so the key
> files only need to be readable by BIND.
>
> Tony.
Hi,
When I set my key directory permissions like this :
--> root@nssec:/dnskeys# ls -als
4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 .
4 drwxr-xr-x 26 root root 4096 2011-04-01 12:38 ..
4 -r--r--r-- 1 bind bind 462 2011-04-18 14:15 Kzone.be.+008+11754.key
4 -r--r--r-- 1 bind bind 1060 2011-04-18 14:15 Kzone.be.+008
+11754.private
4 -r--r--r-- 1 bind bind 636 2011-04-18 14:16 Kzone.be.+008+25774.key
4 -r--r--r-- 1 bind bind 1824 2011-04-18 14:16 Kzone.be.+008
+25774.private
and when I configure my zone like this in named.conf.local :
zone "zone.be" {
type master;
file "/dnszones/db.zone.be.signed";
auto-dnssec maintain;
key-directory "/dnskeys/";
sig-validity-interval 1;
I get the following message in my logs :
Apr 18 15:00:53 nssec named[3508]: /etc/bind/named.conf.local:25:
'auto-dnssec maintain;' requires dynamic DNS to be configured in the
zone
Apr 18 15:00:53 nssec named[3508]: loading configuration: failure
Apr 18 15:00:53 nssec named[3508]: exiting (due to fatal error)
( by the way , I have disabled apparmor globally on my Ubuntu server for
now )
Is this due to my mistake ? Or permission related ?
Thx
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
