Suitable type for DNSSEC private keys
Stephen Smalley
sds at tycho.nsa.gov
Tue Feb 17 21:41:53 UTC 2009
On Tue, 2009-02-17 at 22:06 +0100, Göran Uddeborg wrote:
> Daniel J Walsh writes:
> > grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
> > /etc/rndc\.key -- system_u:object_r:dnssec_t:s0
> > /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
>
> I thought that file was just for connection between the named server
> and rndc clients. I didn't think it had anything to do with DNSSEC at
> all. Am I wrong?
It seems to be a bit of a misnomer; I assume that someone named it
dnssec_t because the TSIG key is generated via dnssec-keygen as well.
> I'm talking about keys for signing a zone, in files having names like
> Kuddeborg.se.+005+16744.key and Kuddeborg.se.+005+16744.private
> respectively.
>
> Stephen Smalley writes:
> > Why are you putting the private key in /var/named at all? Why is it
> > even on the public server?
>
> Well, I haven't been able to run dnssec-signzone without having both
> the private and public keys in the same directory. But maybe I just
> haven't figured these things out? These DNSSEC tools are new to me.
Do you have to support dynamic updates or not?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list