Hi, also a few notes to it.
Dne 7.9.2018 v 04:05 Brent Swingle napsal(a): > This matter has been resolved with input from Evan. I was able to add a file > path for secroots to the named.conf file and push the output file to a temp > directory that was not permission restricted. > > secroots-file "/tmp/named.secroots" ; Instead, "/var/named/data/named.secroots" or maybe "/run/named/named.secroots" should be used. In Fedora, it should already have write access to /var/named directory itself also from daemon. Should be already for update on supported releases. > > > Ultimately when I ran "rndc secroots" it created the output file here: > > /tmp/systemd-private-b2ebff459df9471e8bf444e2d2b1116e-named.service-HX1NF5/tmp/named.secroots > > > The data in the file seems to be as desired if I understand the KSK Rollover > test correctly, I should see 20326 which pertains to the new key: > > [root@ns3 tmp]# cat named.secroots > 06-Sep-2018 18:47:16.190 > > Start view internal-in > > ./RSASHA256/20326 ; managed > ./RSASHA256/19036 ; managed > dlv.isc.org/RSASHA1/19297 ; managed > > Start view external-in > > ./RSASHA256/20326 ; managed > ./RSASHA256/19036 ; managed > dlv.isc.org/RSASHA1/19297 ; managed > > Start view external-chaos > > dumpsecroots failed: not found > > > > > I did not fully try Carl's input below but I believe it would have worked as > well. I had performed a "chmod 770 /var/named" but I did not follow it up > with the SELinux modification. The last error I had was SELinux barking so > I'd anticipate his suggestion was the correct one. > > Does the 'named' user have write access to /var/named? The default > redhat setup has /var/named as 0750, with /var/named/data as 0770. Also, > the default redhat selinux config prevents named writing to /var/named. > > chmod 770 /var/named > setsebool -P named_write_master_zones=true > rndc secroots It should not be required on upcoming RHEL 7 versions. named_write_master_zones would be turned on by default in next minor release. Also permissions would be fixed to allow writing by default. It would save us to replace all paths in config file to write into /var/named/data subdirectory. I hope also to reduce the confusion. > > > > > Thanks everyone for assisting with this matter. > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
