On Thu, Oct 11, 2018, at 3:51 PM, Viktor Dukhovni wrote:
> Check the user "named" runs as after chroot and dropping privs has
> write permissions to update the root trust-anchor file (may need
> write permissions to the containing directory to make the update
> atomic).

thanks! I _think_ I'm set

        ps aux | grep named
                named     2561  0.0  0.3 243468 48724 ?        Ssl  13:47   
0:05 /usr/local/bind9/sbin/named -f -t /var/chroot/named -n 2 -S 1024 -u named 
-c /etc/named.conf

        ls -al \
         /var/chroot/named/keys/managed-keys/external.mkeys

                -rw-r--r-- 1 named named 1.4K Oct 11 13:47 
/var/chroot/named/keys/managed-keys/external.mkeys

where, given the bind.keys' init,

        ls -al /usr/local/etc/named/bind.keys
                -rw-r--r-- 1 named named 3.9K Oct 11 12:28 
/usr/local/etc/named/bind.keys

matches in chroot,

        cat /var/chroot/named/keys/managed-keys/external.mkeys
                $ORIGIN .
                $TTL 0  ; 0 seconds
                @ IN SOA  . . (
                        2          ; serial
                        0          ; refresh (0 seconds)
                        0          ; retry (0 seconds)
                        0          ; expire (0 seconds)
                        0          ; minimum (0 seconds)
                        )
            KEYDATA 20181012204732 20181011204732 19700101000000 257 3 8 (
                    AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                    bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                    /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                    JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                    oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                    LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                    Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                    LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                    ) ; KSK; alg = RSASHA256; key id = 19036
                    ; next refresh: Fri, 12 Oct 2018 20:47:32 GMT
                    ; trusted since: Thu, 11 Oct 2018 20:47:32 GMT
            KEYDATA 20181012204732 20181011204732 19700101000000 257 3 8 (
                    AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                    iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                    7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                    LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                    efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                    pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                    A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                    9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                    ) ; KSK; alg = RSASHA256; key id = 20326
                    ; next refresh: Fri, 12 Oct 2018 20:47:32 GMT
                    ; trusted since: Thu, 11 Oct 2018 20:47:32 GMT

Reply via email to