[CentOS] Re: Yum update to 4.4 stamps all over rndc.conf
Peter Farrow
peter at farrows.org
Mon Sep 11 22:29:04 UTC 2006
Hi There,
I was not using a stock rndc.conf file, it had references to my own
generated external key file
snip....
options {
default-server localhost;
default-key "farrowkey";
};
server localhost {
key "farrowkey";
};
include "/etc/farrowkey";
snip....
It still blew it away on both my own nameservers....
Regards
Pete
Jim Perrin wrote:
>> It only happened on one of mine, and it was the new server I hadn't
>> put in
>> service yet. Otherwise, I always re-generate the rndc.conf and
>> rndc.key before
>> a server goes live. I wonder if that has anything to do with it?
>
> It does. The spec file for the bind rpm looks at rndc.conf in this way ->
> %verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
> /etc/rndc.conf
>
> Which means that it doesn't check the size of the file or the md5sum,
> but it will not replace the file if it has changed. So everyone using
> a stock rndc.conf got smacked, those who modified the file or
> generated a new key should have the appropriate .rpmnew for rndc.conf.
>
> The key in /etc/rndc.conf defined as 'key' is the same in all the
> rpms, so people really should be generating their own keys. I view
> this much like the snake oil localhost cert for apache. It's fine for
> testing, but make your own. The key in /etc/rndc.key is autogenerated
> during the %post section and should be different for every install.
>
> 1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
> 2. Should people be using the default /etc/rndc.conf file? probably not.
> 3. Should this be a far more documented issue than it is? Yes. It's
> the configuration killing people here. If rndc.conf is included
> everywhere it shouldn't make a difference, restarting the offending
> service will reload the same .conf everything else is using and life
> moves on. If someone copies the key out of the file and uses that,
> they get smacked as has been documented here on the list.
>
>
--
This message has been scanned for viruses and
dangerous content by the Enhancion system Scanner
and is believed to be clean.
http://www.enhancion.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060911/ce020c75/attachment.html>
More information about the CentOS
mailing list