On 07/23/2013 04:48 PM, David Newman wrote:
On 7/23/13 3:44 PM, Mark Andrews wrote:
In message <[email protected]>, David Newman writes:
FreeBSD 9.1-RELEASE-p4, BIND 9.9.3-P1 ESV installed from ports
[...]
zone "example.org" {
type master;
file "master/example.org.db";
allow-query { any; };
allow-transfer { xfer; };
key-directory "/etc/namedb/managed-keys";
inline-signing yes;
auto-dnssec maintain;
};
There is a valid KSK and ZSK for this zone in managed-keys.
Changing ownership of the master directory results in a complaint when
restarting named that master wants to be owned by root.
Rename the file to "dynamic/example.org.db" and update named.conf.
The directory "dynamic" has permissions set up for dynamic master files
which this zone is.
Thanks, Mark!
This is a *static* zone file but signing works as expected if:
1. the zone file is set up in a directory which bind can write to (e.g.,
/var/named/etc/namedb/dynamic, even for static zones); and
2. the zone file's serial number increments. (named did not create a
filename.jnl file until I incremented the zone file's serial number.)
The zone may be static but the "auto-dnssec maintain" process is
equivalent to the dynamic updates process, so that is the correct
directory.
Doug (who set up the permissions for named in FreeBSD ages ago)
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
