Bind9 version 9.17.12 TLS capability problem
I tried version 9.17.12 because of the new TLS features.
Assume the following TLS settings in named.conf
tls mytls {
cert-file "/etc/ssl/example.crt";
key-file "/etc/ssl/example.key";
};
Both files are owned by root:root and chmod 0600.
-rw------- 1 root root 5938 May 14 02:19 example.crt
-rw------- 1 root root 3243 May 14 02:19 example.key
Bind9 is started with a -u bind
parameter.
If compiled with --disable-linux-caps
:
- named will start
- rdnc reload will fail
If compiled without --disable-linux-caps
:
- named will not start
In both cases the same error is raised:
May 17 21:33:22 s1 named[3596]: Error initializing TLS context: error:0200100D:system library:fopen:Permission denied
May 17 21:33:22 s1 named[3596]: loading configuration: TLS error
I know this is due to the privilege drop of the daemon. However both scenarios are uncommon if compared to other relevant Linux software. Especially for the second case with enabled capability support. The privilege drop seems to happen before the certificates are loaded.
However I still want to report this because it's unintuitive in my eyes. My expectation would be:
- Named starts in both scenarios
- rdnc reload works but doesn't trigger a TLS stack reload without the necessary privileges
Thanks for any help.
Dominik