named is creating excessive number of tmp-xxxxx files.

2023-12-28 Thread Marc Chamberlin via bind-users 

Hello, I am running a named service on  the OpenSuSE 15.4 platform.


# named -v
BIND 9.16.44 (Extended Support Version) 


and I am getting an excessive number of binary tmp-xx files created 
in the named chroot directory - /var/lib/named.  (xx is just a bunch 
of random characters.) What are these files and how to I automatically 
manage the creation and deletion of them? Could I simply add an


'ExecStartPre=+/bin/rm -rf /var/lib/named/tmp-*

to the named.service file in order to delete all these tmp-* files 
whenever the named service is started/restarted or would this be an 
unsafe practice? I don't know if these files are being used to persist 
information across restarts of the named service or not... These tmp 
files contain binary information and as such are unreadable.


Much appreciate, and thanks in advance for some advice...    Marc C


--
*"The Truth is out there" - Spooky*

--
*_   _   .   .   .       .   .   .   _ _       .   _   _   _   _   .     
  .   .   .           _   .   .       .           .   _   _       .   _ 
      _ _   .   .   .       .   _   _   .       _   .   .   _   .   _   
_           _   _       .   _       .   _   .     _   .   _   . *


Computers: the final frontier.
These are the voyages of the user Marc.
His mission: to explore strange new hardware.
To seek out new software and new applications.
To boldly go where no Marc has gone before!

(/This email is digitally signed. My public key for sending encrypted 
email to me can be found at - 
https://keys.openpgp.org/search?q=m...@domesweetdome.us.com or just ask 
me for it and I will send it to you as an attachment. If you don't 
understand, no worries, just ignore it and/or ask me to explain it 
further./)


OpenPGP_0xD23D75B63BF0E8B7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: migration from auto-dnssec to dnssec-policy deletes keys immediately

2023-12-28 Thread Adrian Zaugg 
Hi Nick

Not changing the key algo does help indeed when introducing dnssec-policy, see 
the log below. Thank you very much for pointing this out.

But I do not understand why BIND deletes valid and published keys, just 
because there should be another algo used. Couldn't this be done in a smooth 
key rollover process aswell? Maybe someone with more insights than I have, 
could explain this behaviour. Thanks!

Best regards, Adrian.


Log of successful change from auto-dnssec to dnssec-policy (using the same 
algo):
2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...]
2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals
2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
32,[...])
2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) 
created for policy mypolicy_ecdsa
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+61287.private have changed from 0640 to 0600 as a result of this 
operation.
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+38348.private have changed from 0640 to 0600 as a result of this 
operation.
2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key 
repository.
2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation 
to match the DNSKEY TTL (86400).
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now 
published
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now 
active
2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now 
published
2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now 
published
2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 
12:53:01.176
2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 
2021010692)


signature.asc
Description: This is a digitally signed message part.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users