I ran dnssec-settime from bind 9.9.0rc2 today to change the metadata on two of my ZSKs. Before running dnssec-settime, using one of these keys as an example, the file permissions were:
-rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw-r----- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private Afterwards the permissions on the private key were changed by dnssec-settime to: -rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw------- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private Now the private key is inaccessible to the named process, which is running as user bind. User bind is a member of group bind. What do you recommend as a best practice? I could do "chmod 640" on any private keys modified by dnssec-time to fix this, or I could probably do "chown bind:bind" on all the keys and not have to worry about it. Aside from this, is the permissions change made by dnssec-settime a feature or a bug? Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
