Default location of "cookie-secret-file"

[anandb-ripencc]

The nsd.conf man page says that the default location of the cookie secret file is /etc/nsd/nsd_cookiesecrets.txt. However, if one tries to add a cookie using nsd-control, this is what happens:

# nsd-control add_cookie_secret ae44cc3c8ceaaa64f5811e9a55442ab6
unable to open cookie secret file /etc/nsd/nsd_cookiesecrets.txt: Permission deniederror: writing to cookie secret file: "/etc/nsd/nsd_cookiesecrets.txt"

The reason for this is that /etc/nsd is usually not writable by anyone other than "root", but the NSD server normally runs as a non-root user. This is generally true of most daemons on unix-like systems. If a running daemon wants to create some kind of state file, such a file should normally go into a location such as /var/lib/nsd, which is writeble by the "nsd" user. In fact, all of NSD's other state files (nsd.db, xfrd.state, dynamically added zone list, etc) go here. So I find it surprising that the dynamic cookie secret file's default location is /etc/nsd. It does not follow best practices for unix-like systems.

I then tried to see if I could change this default at compile time, but there's no configure option for this either (whereas there are options for specifying default locations for the log file, database file, state file, zone list file, etc). I consider this a bug, and I think that you should change the default to point to the same place as NSD's other run-time state files.