Re: DNSSEC and nsupdate

2018-03-06 Thread Mark Andrews
> On 7 Mar 2018, at 3:48 am, Tony Finch wrote: > > Prof. Dr. Michael Schefczyk wrote: >> >> The issue is that normal permissions in the key-directory are root:bind >> 0644 for the public key and root:bind 0600 for the private key. The >> issue disappears when setting the private key to 0644 al

Re: AW: DNSSEC and nsupdate

2018-03-06 Thread Tony Finch
Prof. Dr. Michael Schefczyk wrote: > > The issue is that normal permissions in the key-directory are root:bind > 0644 for the public key and root:bind 0600 for the private key. The > issue disappears when setting the private key to 0644 also and that must > be done before starting bind - before us

AW: DNSSEC and nsupdate

2018-03-03 Thread Prof. Dr. Michael Schefczyk
: DNSSEC and nsupdate Setting the permissions of a *private* key to 0644 sounds like a bad idea. Maybe you mean 0640? On Fri, 2 Mar 2018 23:28:28 + "Prof. Dr. Michael Schefczyk" wrote: > Dear Mark, > > I did get the issue resolved while setting up a test environment. >

Re: DNSSEC and nsupdate

2018-03-02 Thread Paul Kosinski
.com.hosts"; > update-policy { grant nsupdate zonesub TXT; }; > key-directory "/var/lib/bind"; > auto-dnssec maintain; > }; > > Regards, > > Michael Schefczyk > > -Ursprüngliche Nachricht- > Von: Mark Andrews [mailto:ma...@is

AW: DNSSEC and nsupdate

2018-03-02 Thread Prof. Dr. Michael Schefczyk
key-directory "/var/lib/bind"; auto-dnssec maintain; }; Regards, Michael Schefczyk -Ursprüngliche Nachricht- Von: Mark Andrews [mailto:ma...@isc.org] Gesendet: Montag, 26. Februar 2018 01:57 An: Prof. Dr. Michael Schefczyk Cc: bind-users@lists.isc.org Be

Re: DNSSEC and nsupdate

2018-02-25 Thread Mark Andrews
> On 26 Feb 2018, at 8:12 am, Prof. Dr. Michael Schefczyk > wrote: > > Dear Mark, > > Thank you very much! No, chroot is not involved. Package debootstrap > (required for chroot as far as I understand) is not even installed. > > It would be great to understand, what the error message: > > w

AW: DNSSEC and nsupdate

2018-02-25 Thread Prof. Dr. Michael Schefczyk
Dear Mark, Thank you very much! No, chroot is not involved. Package debootstrap (required for chroot as far as I understand) is not even installed. It would be great to understand, what the error message: warning: dns_dnssec_findzonekeys2: error reading private key file fqdn/ECDSAP384SHA384/41

Re: DNSSEC and nsupdate

2018-02-24 Thread Mark Andrews
Are you running chrooted? Did you make the keys visible in the chroot area? > On 25 Feb 2018, at 2:37 am, Prof. Dr. Michael Schefczyk > wrote: > > Dear All, > > For a long time already, I am using a bind master DNS server based on debian > set up via webmin. It is currently Debian Stretch wi

DNSSEC and nsupdate

2018-02-24 Thread Prof. Dr. Michael Schefczyk
Dear All, For a long time already, I am using a bind master DNS server based on debian set up via webmin. It is currently Debian Stretch with bind 9.10. I am using DNSSEC. The webmin setup leads to all keys being stored in /var/lib/bind. The naming scheme is K[fqdn]+number+keyid.key or .priva