Bind9 version 9.17.12 TLS capability problem (#2705) · Issues · ISC Open Source Projects / BIND

Bind9 version 9.17.12 TLS capability problem

I tried version 9.17.12 because of the new TLS features.

Assume the following TLS settings in named.conf

tls mytls {
   cert-file "/etc/ssl/example.crt";
   key-file "/etc/ssl/example.key";
};

Both files are owned by root:root and chmod 0600.

-rw------- 1 root root 5938 May 14 02:19 example.crt
-rw------- 1 root root 3243 May 14 02:19 example.key

Bind9 is started with a -u bind parameter.

If compiled with --disable-linux-caps:

named will start
rdnc reload will fail

If compiled without --disable-linux-caps:

named will not start

In both cases the same error is raised:

May 17 21:33:22 s1 named[3596]: Error initializing TLS context: error:0200100D:system library:fopen:Permission denied
May 17 21:33:22 s1 named[3596]: loading configuration: TLS error

I know this is due to the privilege drop of the daemon. However both scenarios are uncommon if compared to other relevant Linux software. Especially for the second case with enabled capability support. The privilege drop seems to happen before the certificates are loaded.

However I still want to report this because it's unintuitive in my eyes. My expectation would be:

Named starts in both scenarios
rdnc reload works but doesn't trigger a TLS stack reload without the necessary privileges

Thanks for any help.

Dominik

Edited May 17, 2021 by Do He