[CentOS] Re: Yum update to 4.4 stamps all over rndc.conf

Mon Sep 11 22:17:00 UTC 2006
Jim Perrin <jperrin at gmail.com>

> It only happened on one of mine, and it was the new server I hadn't put in
> service yet. Otherwise, I always re-generate the rndc.conf and rndc.key before
> a server goes live. I wonder if that has anything to do with it?

It does. The spec file for the bind rpm looks at rndc.conf in this way ->
%verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
/etc/rndc.conf

Which means that it doesn't check the size of the file or the md5sum,
but it will not replace the file if it has changed. So everyone using
a stock rndc.conf got smacked, those who modified the file or
generated a new key should have the appropriate .rpmnew for rndc.conf.

The key in /etc/rndc.conf defined as 'key' is the same in all the
rpms, so people really  should be generating their own keys. I view
this much like the snake oil localhost cert for apache. It's fine for
testing, but make your own. The key in /etc/rndc.key is autogenerated
during the %post section and should be different for every install.

1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
2. Should people be using the default /etc/rndc.conf file? probably not.
3. Should this be a far more documented issue than it is? Yes. It's
the configuration killing people here. If rndc.conf is included
everywhere it shouldn't make a difference, restarting the offending
service will reload the same .conf everything else is using and life
moves on. If someone copies the key out of the file and uses that,
they get smacked as has been documented here on the list.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell