<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi There,<br>
<br>
I was not using a stock rndc.conf file, it had references to my own
generated external key file<br>
<br>
snip....<br>
<font face="Courier New, Courier, monospace">options {<br>
default-server localhost;<br>
default-key "farrowkey";<br>
};<br>
<br>
server localhost {<br>
key "farrowkey";<br>
};<br>
<br>
include "/etc/farrowkey";</font><br>
snip....<br>
<br>
It still blew it away on both my own nameservers....<br>
<br>
Regards<br>
<br>
Pete<br>
<br>
<br>
<br>
Jim Perrin wrote:
<blockquote
cite="mid302ce8b50609111517i1118b25bt81e9a44cf7cd5a2e@mail.gmail.com"
type="cite">
<blockquote type="cite">It only happened on one of mine, and it was
the new server I hadn't put in
<br>
service yet. Otherwise, I always re-generate the rndc.conf and rndc.key
before
<br>
a server goes live. I wonder if that has anything to do with it?
<br>
</blockquote>
<br>
It does. The spec file for the bind rpm looks at rndc.conf in this way
->
<br>
%verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
<br>
/etc/rndc.conf
<br>
<br>
Which means that it doesn't check the size of the file or the md5sum,
<br>
but it will not replace the file if it has changed. So everyone using
<br>
a stock rndc.conf got smacked, those who modified the file or
<br>
generated a new key should have the appropriate .rpmnew for rndc.conf.
<br>
<br>
The key in /etc/rndc.conf defined as 'key' is the same in all the
<br>
rpms, so people really should be generating their own keys. I view
<br>
this much like the snake oil localhost cert for apache. It's fine for
<br>
testing, but make your own. The key in /etc/rndc.key is autogenerated
<br>
during the %post section and should be different for every install.
<br>
<br>
1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
<br>
2. Should people be using the default /etc/rndc.conf file? probably
not.
<br>
3. Should this be a far more documented issue than it is? Yes. It's
<br>
the configuration killing people here. If rndc.conf is included
<br>
everywhere it shouldn't make a difference, restarting the offending
<br>
service will reload the same .conf everything else is using and life
<br>
moves on. If someone copies the key out of the file and uses that,
<br>
they get smacked as has been documented here on the list.
<br>
<br>
<br>
</blockquote>
</body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by the
<a href="http://www.enhancion.net/"><b>Enhancion</b></a> system scanner,
<br />and is believed to be clean.
</html>