> On 7 Mar 2018, at 3:48 am, Tony Finch <d...@dotat.at> wrote: > > Prof. Dr. Michael Schefczyk <mich...@schefczyk.net> wrote: >> >> The issue is that normal permissions in the key-directory are root:bind >> 0644 for the public key and root:bind 0600 for the private key. The >> issue disappears when setting the private key to 0644 also and that must >> be done before starting bind - before using nsupdate is not enough. >> >> Do you know if these permissions are standard or a consequence of >> starting DNSSEC via webmin? > > By default, `dnssec-keygen` creates private keys with perms 0600, so if > you run it under a different user than `named`, you need to `chmod g+r`. > You might also need to `chgrp`, but I put my keys in a g+s directory. > This is somewhat tiresome. (If webmin has specific support for DNSSEC, I > would expect it to `chmod` if necessary.)
Or chown as necessary. The user named is running under has to be able to read the files. > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Rockall: Cyclonic 5 to 7, occasionally gale 8 later. Rough or very rough. > Showers. Moderate or good. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
