On 02/01/2012 04:56 AM, Evan Hunt wrote:
Now the private key is inaccessible to the named process, which is
running as user bind. User bind is a member of group bind.
Any time a private key file is rewritten, the mode is changed to 600.
This kind of keyfile nannying annoys me, with other products as well as
bind. If I've set the perms to 0640, I've done it deliberately; I INTEND
the group to have read perms on the key. I'm not an idiot.
By all means, *create* new keys with 0600 perms. But blowing away the
perms on an existing file is just rude.
There's no rule that it has to be owned by root, though; could you just
chown it to user bind?
There's no need for the keyfile to be writeable by bind (at the moment,
at any rate). So root:bind and 0640 seem more appropriate to me.
Aside from this, is the permissions change made by dnssec-settime a
feature or a bug?
I consider it a feature, though opinions may vary.
As is probably obvious, I consider it an irritating bug ;o)
Obviously it's trivial to fix, but I feel the current behaviour is
dangerous; one of these days someone is going to run dnssec-settime and
forget the chown/chmod, resigning will start to fail and go unnoticed
and the zone will eventually fall off-net.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
