Re: [BIND] RE: KSK Rollover
This matter has been resolved with input from Evan. I was able to add a file path for secroots to the named.conf file and push the output file to a temp directory that was not permission restricted. secroots-file "/tmp/named.secroots" ; Ultimately when I ran "rndc secroots" it created the output file here: /tmp/systemd-private-b2ebff459df9471e8bf444e2d2b1116e-named.service-HX1NF5/tmp/named.secroots The data in the file seems to be as desired if I understand the KSK Rollover test correctly, I should see 20326 which pertains to the new key: [root@ns3 tmp]# cat named.secroots 06-Sep-2018 18:47:16.190 Start view internal-in ./RSASHA256/20326 ; managed ./RSASHA256/19036 ; managed dlv.isc.org/RSASHA1/19297 ; managed Start view external-in ./RSASHA256/20326 ; managed ./RSASHA256/19036 ; managed dlv.isc.org/RSASHA1/19297 ; managed Start view external-chaos dumpsecroots failed: not found I did not fully try Carl's input below but I believe it would have worked as well. I had performed a "chmod 770 /var/named" but I did not follow it up with the SELinux modification. The last error I had was SELinux barking so I'd anticipate his suggestion was the correct one. Does the 'named' user have write access to /var/named? The default redhat setup has /var/named as 0750, with /var/named/data as 0770. Also, the default redhat selinux config prevents named writing to /var/named. chmod 770 /var/named setsebool -P named_write_master_zones=true rndc secroots Thanks everyone for assisting with this matter. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: [BIND] RE: KSK Rollover
I moved the file from /etc to /var/named and now I get an additional error line printed in /var/log/messages. Sep 6 15:44:40 ns3 named[15443]: received control channel command 'secroots' Sep 6 15:44:40 ns3 named[15443]: could not open secroots dump file 'named.secroots': permission denied Sep 6 15:44:40 ns3 named[15443]: dumpsecroots failed: permission denied Sep 6 15:44:40 ns3 audit: { write } for pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 This error also appears in the audit.log file and a search is pointing to SELinux as the hangup. Any pointers on dealing with SELinux would be appreciated. type=AVC msg=audit(1536266680.663:75671): avc: denied { write } for pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 I left all of the permissions the same and I think they should be lenient enough: [root@ns3 named]# ls -lh named.secroots -rw-rw-rw-. 1 named named 0 Sep 6 13:52 named.secroots -Original Message- From: Hugo Salgado-Hernández [mailto:hsalg...@nic.cl] Sent: Thursday, September 06, 2018 3:39 PM To: Brent Swingle Cc: Evan Hunt ; bind-users@lists.isc.org Subject: Re: [BIND] RE: KSK Rollover Hi Brent. In out CentOS box, the named.secroots file is written on /var/named/ You should check permissions there too. Hugo On 20:32 06/09, Brent Swingle wrote: > Evan, > > I ran the command and followed the directions to build out rndc as you have > suggested. However, I am not sure that it made much of a difference. I > should have been a little clearer from the beginning. I had worked with rndc > to issue other commands and had received what appeared to be valid responses > as if rndc was functional. I had somewhat assumed that rndc was baked in > behind the scenes and ready to go. Either way I it has a rndc.conf and is > specified in named.conf at this point. > > I have two of these servers that are identical from an SW perspective. As a > test, I issued "rndc secroots" on the server that I have modified to > configure rndc and observed the following lines appear in the > /var/log/messages file. When I issued "rndc secroots" from the non-modified > file I get the same 3 lines. It acts like the process is running but it is > unable to write output to the named.secroots file. > > Sep 6 14:33:13 ns2 named[31189]: received control channel command 'secroots' > Sep 6 14:33:13 ns2 named[31189]: could not open secroots dump file > 'named.secroots': permission denied Sep 6 14:33:13 ns2 named[31189]: > dumpsecroots failed: permission denied > > > As a test, I manually created named.secroots with weakened permissions to see > if that made a difference but it still won't print output to it. > [root@ns3 etc]# ls -lh named.secroots > -rw-rw-rw-. 1 named named 0 Sep 6 13:52 named.secroots > > > > -Original Message- > From: Evan Hunt [mailto:e...@isc.org] > Sent: Thursday, September 06, 2018 1:22 PM > To: Brent Swingle > Cc: bind-users@lists.isc.org > Subject: Re: KSK Rollover > > On Thu, Sep 06, 2018 at 05:34:21PM +, Brent Swingle wrote: > > This is the command that does not work and the output received: > > [root@ns2 ~]# rndc secroots > > rndc: 'secroots' failed: permission denied > > [root@ns2 ~]# > > Have you set up your server to accept rndc commands? > > If not, run "rndc-confgen" and follow the directions. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: KSK Rollover
Evan, I ran the command and followed the directions to build out rndc as you have suggested. However, I am not sure that it made much of a difference. I should have been a little clearer from the beginning. I had worked with rndc to issue other commands and had received what appeared to be valid responses as if rndc was functional. I had somewhat assumed that rndc was baked in behind the scenes and ready to go. Either way I it has a rndc.conf and is specified in named.conf at this point. I have two of these servers that are identical from an SW perspective. As a test, I issued "rndc secroots" on the server that I have modified to configure rndc and observed the following lines appear in the /var/log/messages file. When I issued "rndc secroots" from the non-modified file I get the same 3 lines. It acts like the process is running but it is unable to write output to the named.secroots file. Sep 6 14:33:13 ns2 named[31189]: received control channel command 'secroots' Sep 6 14:33:13 ns2 named[31189]: could not open secroots dump file 'named.secroots': permission denied Sep 6 14:33:13 ns2 named[31189]: dumpsecroots failed: permission denied As a test, I manually created named.secroots with weakened permissions to see if that made a difference but it still won't print output to it. [root@ns3 etc]# ls -lh named.secroots -rw-rw-rw-. 1 named named 0 Sep 6 13:52 named.secroots -Original Message- From: Evan Hunt [mailto:e...@isc.org] Sent: Thursday, September 06, 2018 1:22 PM To: Brent Swingle Cc: bind-users@lists.isc.org Subject: Re: KSK Rollover On Thu, Sep 06, 2018 at 05:34:21PM +, Brent Swingle wrote: > This is the command that does not work and the output received: > [root@ns2 ~]# rndc secroots > rndc: 'secroots' failed: permission denied > [root@ns2 ~]# Have you set up your server to accept rndc commands? If not, run "rndc-confgen" and follow the directions. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
KSK Rollover
I recently received an email indicating that our DNS servers are not properly equipped for the planned KSK Rollover that is coming. It leads off with this line "On 11 October 2018, ICANN will change or "roll over" the DNSSEC key signing key (KSK) of the DNS root zone." Reading through the email there are links on how to check our server setup and make adjustments. My specific question to the group is in regards to one of the steps outlined for checking the current configuration. This is the link that outlines the server test steps: https://www.icann.org/dns-resolvers-checking-current-trust-anchors This is the command that does not work and the output received: [root@ns2 ~]# rndc secroots rndc: 'secroots' failed: permission denied [root@ns2 ~]# This are the versions that I am running: [root@ns2 ~]# named -v BIND 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 Might anyone be able to tell me what adjustment I would need to make in order for this command to work properly so I can look at the output file and verify my config? Thanks, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users