On Jul 10 2011, Emil Natan wrote:
Hi,
I have few boxes running BIND 9.7.3-P3. I do not use DNSSEC (for now) and
dynamic updates (at all) and I have them explicitly disabled in named.conf
(dnssec-enable no; dnssec-validation no; allow-update { none; };) but I
see named still searching for managed-keys.bind file and trying to create
session.key file. In the general case it fails with file not found and
permission denied which I know how to correct. My question is why BIND is
forced to create files and especially the session.key? Is there a way to
change that behavior?
The two cases are different. If you don't have any managed keys then BIND
doesn't need managed-keys.bind, and it's a bit annoying it goes on about
it. You can chase the messages away by making it an empty file in BIND's
working directory, or rather better one containing
=== cut ===
$TTL 0 ; 0 seconds
@ IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
=== cut ===
which correctly represents the state of no managed keys.
The session.key file isn't to do with DNSSEC, but with signing update
requests, using "update-policy local;" and "nsupdate -l" (see the ARM
for details). BIND always writes a new session key at startup whether
it's going to be used or not. If you don't want it, and it is trying to
write it somwehere it can't, specify an alternative writable location
(e.g. in BIND's working directory) with "session-keyfile" in "options",
and then forget about it.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
