In addition to what Matthijs said, please make sure that all path components in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to have correct permissions, this is easy to get wrong. I've burnt on this too many times.
Easiest way how to test is switching to the user that named runs under and try changing to the directory and checking if you can access the files. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 14. 10. 2022, at 16:17, PGNet Dev <pgnet....@gmail.com> wrote: > > hi > >> Think ownership, permission and things like SELinux, AppArmore depending on >> your OS. > > on this box, no SELinux or AppArmor > > in my named.conf > > directory "/namedb/production"; > > and for my domain's dnssec > > key-directory "/keys/dnssec/example.com"; > > pathnames are relative to chroot. > > here, chroot is @ "/data/chroot/named", > > ps aux | grep named > named 14285 0.0 0.2 526388 67360 ? Ssl 08:47 > 0:00 /usr/sbin/named -f -t /data/chroot/named -n 2 -S 1024 -u named -c > /etc/named.conf > > checking, > > ls -al \ > /data/chroot/named/namedb/production \ > /data/chroot/named/keys/dnssec/example.com/ > > access looks ok (?) > > /data/chroot/named/keys/dnssec/example.com/: > total 32K > drwxr-xr-x 2 named named 4.0K Oct 12 18:09 ./ > drwxr-xr-x 5 named named 4.0K Oct 14 00:22 ../ > -rw-r----- 1 named named 405 Oct 13 19:14 > Kexample.com.+013+17296.key > -rw-r----- 1 named named 215 Oct 13 19:14 > Kexample.com.+013+17296.private > -rw-r----- 1 named named 572 Oct 13 19:14 > Kexample.com.+013+17296.state > -rw-r----- 1 named named 455 Oct 13 19:14 > Kexample.com.+013+62137.key > -rw-r----- 1 named named 235 Oct 13 19:14 > Kexample.com.+013+62137.private > -rw-r----- 1 named named 556 Oct 13 19:14 > Kexample.com.+013+62137.state > > /data/chroot/named/namedb/production: > total 16K > drwxrwxr-x 2 named named 4.0K Oct 14 08:47 ./ > drwxr-xr-x 5 named named 4.0K Oct 14 08:47 ../ > -rw------- 1 named named 8.0K Oct 14 08:47 external.nzd > -rw-r----- 1 named named 0 Oct 14 08:47 managed-keys.bind > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
