>> Now the private key is inaccessible to the named process, which is >> running as user bind. User bind is a member of group bind.
> Any time a private key file is rewritten, the mode is changed to 600. > There's no rule that it has to be owned by root, though; could you just chown > it to user bind? >> Aside from this, is the permissions change made by dnssec-settime a >> feature or a bug? > I consider it a feature, though opinions may vary. After a more careful review of Bv9ARM.pdf, this behavior is documented on p. 150 in the "Description" section of dnssec-settime: "The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600)." In light of some of the other responses to your post, perhaps it would be useful to give this statement greater emphasis typographically in the ARM, e.g. a "Note" box. You might also consider adding the following statement: "We therefore recommend that the owner of all key files be set using the <command>chown</command> utility to the same UID as that under which the named process is running (see <command>named -u</command> in section B.11)." This issue also merits a comment in section 7.2.2 "Using the setuid Function" on page 116. A second and third sentence might read: "Use the <command>chown</command> utility to set the user id of all DNSSEC key files, as these must be readable by <acronym>BIND</acronym>. Note that the mode of private ke y files will be set to 0600 by <command>dnssec-settime</command> (section B.7)." Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
