20 Zář
2019
20 Zář
'19
14:06
On 20/09/2019 13:36, Tomas Krizek wrote:
Hi Tomas,
The /etc/knot-resolver/kresd.conf is only writable by
root (0644), as
well as other files kresd uses in /etc/knot-resolver/ directory,
therefore I don't believe this is an issue from security point of view.
The 0644 mode on kresd.conf is pointless, because the "knot-res" user
can *delete* the kresd.conf file, and then create a new one in its place.
In the meantime, if I want to move the root.keys file somewhere else, am
I right in assuming that I need to add this to the config?
trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
Alternatively, am I right in assuming that I can disable RFC 5011 trust
anchor tracking with:
trust_anchors.add_file('root.keys', readonly=true)
However, I agree with you it'd be better to
restrict the permissions of
the config directory. I've created an issue [1] for it. We'll look into
it in future releases.
[1] - https://gitlab.labs.nic.cz/knot/knot-resolver/issues/513
Thanks!
Regards,
Anand