rpm: change permission on config directory to read-only

RPM package uses RFC 5011 to update DNSSEC TA in /etc/knot-resolver/root.keys. This requires the /etc/knot-resolver/ config directory to be writable by knot-resolver user.

Possible solutions:

disable RFC 5011, make /etc/knot-resolver/root.keys read-only. This would require a package update when TAs are rolled over.
move the TA file to a more appropriate location, e.g. /var/lib/knot-resolver/root.keys

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

rpm: change permission on config directory to read-only