[arch-general] Bind - working directory not writeable issue - a possible fix?
Frédéric Perrin
frederic.perrin at resel.fr
Sat Feb 9 09:58:21 EST 2013
Hello Mike,
Le samedi 9 à 12:01, Mike Cloaked a écrit :
> So doing:
>
> [root at lapmike3 ~]# chmod 770 /var/named
>
> But the question is whether or not this is a good thing to do? Does
> anyone know if there are any bad consequences to resolving this
> problem by changing the permissions of /var/named as I have done
> above? If this is a good solution shouldn't that permission be set
> that way when the bind package (bind 9.9.2.P1-1) is initially
> installed, so that it does not then need changing after the install?
I'm not familiar with Arch's bind installation, but if /var/named
contains anything not generated by bind as part of its operation you
probably don't want to do that. The only reference to the necessity of a
writable directory I've found is in chapter 6 of the Admin Manual :
> The managed-keys statement, like trusted-keys, defines DNSSEC security
> roots. The difference is that managed-keys can be kept up to date
> automatically, without intervention from the resolver operator.
> ...
> So, whenever named is using automatic key maintenance, those two files
> [managed-keys.bind and managed-keys.bind.jnl] can be expected to exist
> in the working directory. (For this reason among others, the working
> directory should be always be writable by named.)
I've not find those "amongst others".
For the record, under FreeBSD that I'm more familiar with, the default
config file contains:
options {
directory "/etc/namedb/working";
// more options...
http://svnweb.freebsd.org/base?view=revision&revision=200563
And /etc/namedb/working belongs to used bind, is 0755 and empty until
named writed its key files. Note that with an explicite directory
option, you will want to have fully-qualified paths for the other
directives that specify paths.
--
Fred
More information about the arch-general
mailing list