On Tue, 2009-02-17 at 22:06 +0100, Göran Uddeborg wrote: > Daniel J Walsh writes: > > grep dnssec /etc/selinux/targeted/contexts/files/file_contexts > > /etc/rndc\.key -- system_u:object_r:dnssec_t:s0 > > /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 > > I thought that file was just for connection between the named server > and rndc clients. I didn't think it had anything to do with DNSSEC at > all. Am I wrong? It seems to be a bit of a misnomer; I assume that someone named it dnssec_t because the TSIG key is generated via dnssec-keygen as well. > I'm talking about keys for signing a zone, in files having names like > Kuddeborg.se.+005+16744.key and Kuddeborg.se.+005+16744.private > respectively. > > Stephen Smalley writes: > > Why are you putting the private key in /var/named at all? Why is it > > even on the public server? > > Well, I haven't been able to run dnssec-signzone without having both > the private and public keys in the same directory. But maybe I just > haven't figured these things out? These DNSSEC tools are new to me. Do you have to support dynamic updates or not? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
