[Opendnssec-user] ods-signerd changing file mode of signed zones

Mathieu Arnold mat at mat.cc
Thu Mar 27 16:45:54 UTC 2014


Hi,

For a couple of weeks, I've been getting strange alerts from my dnssec
monitoring about RRSIG expiring too soon.  After some investigating, I
found that BIND was spitting out errors about permissions, and after some
more investigating and adding a cronned script that spitted out the diff of
the current and last mtree of my signed zones, I ended up seeing some
signed zone files getting their modes changed from 644 to 600, and back to
644 on the next signing, so all in all, the errors were transcient (well,
until the next resign, that is).
Out of the 1842 zones currently in my ODS, only about 4 random ones have
this problem.  I also discovered that about the same number of random files
in WorkingDirectory have 600, also, files that are not related to the zones
files that have 600 mode.

I've browsed ODS's sources, and can't really figure out why it would
happen, I can't see anywhere where umask is changed, or even where file
modes are used to write to files...

I'm wondering if it's something bleeding out of another thread running in
softhsm, or ldns, or... I'm thinking about it that way because I don't
think umask is thread safe, and thus, changing it, even briefly, in one
thread would change it for the other too.

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list