Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

m master file managed-keys.bind failed

1,024 views

Skip to first unread message

Martin McCormick

unread,

Dec 8, 2010, 8:51:46 AM12/8/10

to bind-...@lists.isc.org

Who is supposed to own /var/named? I understand the reason for
the following error:

managed-keys-zone ./IN: loading from master file managed-keys.bind failed:
file not found
managed-keys.bind.jnl: create: permission denied
managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error

Except for the directories where bind needs to write
while running, I thought the rest of the tree was owned by root.
managed-keys.bind seems to be at the very top of the tree in
/var/named. Since that is owned by root, I can understand why
named running as bind won't write to it. That is obviously not
right so who does own directories not owned by bind? This is on
a test box so nothing terrible is happening right now, but we
are preparing for dnssec so now is the time to get everything as
it will be on the production system when the time comes.

Is there, by chance, a "make it good" script where it
just chown's everything to the proper directories? That would be
very helpful.

Martin McCormick

Evan Hunt

unread,

Dec 8, 2010, 1:07:10 PM12/8/10

to Martin McCormick, bind-...@lists.isc.org

> Except for the directories where bind needs to write
> while running, I thought the rest of the tree was owned by root.
> managed-keys.bind seems to be at the very top of the tree in
> /var/named.

You can override the location of the file with the "managed-keys-directory"
option (added in 9.7.1).

> Is there, by chance, a "make it good" script where it
> just chown's everything to the proper directories? That would be
> very helpful.

...that's an interesting idea. Thanks.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

Martin McCormick

unread,

Dec 8, 2010, 2:51:25 PM12/8/10

to bind-...@lists.isc.org

I wrote:
> Who is supposed to own /var/named?

I received a response from a kind soul from this list
who reminded me of a directive new to bind9.7.1 that lets you
determine where the managed-keys.bind file lives. I set up

managed-keys-directory "/etc/namedb/working";

and all is now well with that zone. This appears to be a logical
place for the file and there is nothing else in that directory
which is already under bind ownership.

I also asked:

> Is there, by chance, a "make it good" script where it
> just chown's everything to the proper directories? That would be
> very helpful.

It would be helpful, but as I did a find on /var/named
and looked for everything owned by user bind, I realized that
there really isn't all that much to do. The whole tree can be
downed by root but anything that must be written by bind must be
owned by bind and it will sure tell you if it tries to write to
a directory owned by any other user such as root so sometimes,
it is good just to look at the big picture and see that it is
not difficult.

Martin

0 new messages