On 24/09/2021 15.43, Günther J. Niederwimmer wrote:
I heard / read from a user that knot resolver must
have its own rights for the
certificate, but that is not possible, because the key is also intended for
other computers and this creates a system risk? Is this a design problem or a
bug?
I would not suggest that the private keys should be world-readable.
Normal installation uses a special user and group for running Knot
Resolver, so you might e.g. switch the file to this group.
Running the daemons as root would seem a higher risk to me, but
otherwise it shouldn't be a problem either. Of course, you can't change
that in kresd.conf, as that's done on systemd level already. I think it
should suffice to use `systemctl edit kresd@.service` and add
[Service]
User=root
Group=root
and the same with `systemctl edit kres-cache-gc.service`.
--Vladimir