Alan,
None of the files you listed (bind.keys, managed-keys.bind and
managed-keys.bind.jnl) are in the bind installation directory, or the chroot
that named is run in. I did add the following line in the named.conf file :
managed-keys-directory "/var/log";
where /var/log is a writable directory for the userid named is run as. Re-hit
the process with a kill -1 name.pid and the same errors are in the log file
also touched blank managed-keys.bind and managed-keys.bind.jnl files in
/var/log then re-hit the process with the same results.
When I change the database directory to an OS writable directory in named.conf
with this line in the options block:
directory "/var/log/namedb"; // Directory where data files are
stored
the errors do not show up in the logs, but the database files are now writable
to the OS. Note user permissions are set so the database files in
/var/log/namedb and the/var/log/namedb directory is read only for the userid
named is run as.
Did I use the correct syntax for the managed-keys-directory options line, or is
the problem there is not bind.keys file with the managed-keys statements?
*****The content of this message is my personal opinion only, and should not be
construed as anything that has been through rigorous scrutiny of the
professional groups who devote their life and work to the topics being
discussed********
________________________________
From: Alan Clegg <a...@clegg.com>
To: mm half <mm_ha...@yahoo.com>
Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Sent: Wednesday, August 28, 2013 1:34 PM
Subject: Re: bind configuration/setup question
On Aug 28, 2013, at 1:29 PM, Alan Clegg <a...@clegg.com> wrote:
>
> I believe that what you are seeing is the result of BIND 9.9 doing more
> things "automatically", including bringing in a set of DNSSEC trust anchors
> (root and DLV) and not being able to create the file.
>
> You should be able to use the option "bindkeys-file" to set a location that
> is writable for this file.
And as soon as I sent this I realized that I'd goofed. bind.keys is created on
install (it is part of the problem, however).
This file contains "managed-keys" statements that I refer to below (and it was
supposed to be "keystore" not "keystone" -- spellcheck will be the death of the
computer industry).
> It's also going to happen if you use managed-keys, as there is a "keystone"
> created that needs to be updated. See the "managed-keys-directory" option.
This is where the problem lies. The fact that you have managed-keys requires
BIND to create a journal of updates made to the trust-anchor material. Set
"managed-keys-directory" to a writable directory and copy the managed-keys.bind
and managed-keys.bind.jnl files there.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
