On Tue, 11 Nov 2008, Don Jackson wrote: > Today I began testing named on a freshly installed OpenBSD 4.4 amd64 > machine, using my old named.conf file from 4.3 (which was still running > named version 9.4.2) > > When the machine first boots after the install, /etc/rc determines there is > no rndc.key, and generates one: > > rndc-confgen: generating new shared secret... done. > starting named > > > Here are the owner, group, and file modes of the two different copies of > rndc.key that are generated: > > # ls -lAF /etc/rndc.key /var/named/etc/rndc.key > -rw------- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key > -rw-r----- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key > > > named only cares about the rndc.key in /var/named/etc
Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. > Looking at the logs: /var/log/daemon, one can see: > > Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission > denied > Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: > permission denied > > Here is my workaround: > > # chown root:named /var/named/etc/rndc.key > # ls -lAF /var/named/etc/rndc.key > -rw-r----- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key > > > Should /etc/rc set the group ownership of /var/named/etc/rndc.key? > > Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
