Referencing CentOS / RedHat guide on BIND here, it says the following...
Because /etc/named.conf is world-readable, it is advisable to place the key statement in a separate file, readable only by root, and then use an include statement to reference it.
And also the following...
Make sure that only the root user can read or write to the /etc/rndc.conf file.
Now when I do that with the following commands ...
chown root:root /etc/rndc.key
chmod 600 /etc/rndc.key
chown root:root /etc/rndc.conf
chmod 600 /etc/rndc.conf
I'm unable to start BIND because it'd complain in the /var/log/messages file the following...
loading configuration from '/etc/named.conf'
/etc/named.conf:1: open: /etc/rndc.key: permission denied
To rectify, I am now doing the following and BIND is able to start...
chown root:named /etc/rndc.key
chmod 640 /etc/rndc.key
chown root:named /etc/rndc.conf
chmod 640 /etc/rndc.conf
Now is that an error in the manual?
The point here is that no unprivileged users are able to read the file.
If you are running BIND as the named user then he will need access to it.
You should also be able to set:
But your permission is not really worse (see also: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-bind-rndc.html).
Unrelated hint: Generally I would also advice to run BIND in a chroot.
There are CentOS/RedHat packages which support this (
bind-chroot).