[CentOS] Re: Yum update to 4.4 stamps all over rndc.conf

Mon Sep 11 22:29:04 UTC 2006
Peter Farrow <peter at farrows.org>

Hi There,

I was not using a stock rndc.conf file, it had references to my own 
generated external key file

options {
        default-server  localhost;
        default-key     "farrowkey";

server localhost {
        key     "farrowkey";

include "/etc/farrowkey";

It still blew it away on both my own nameservers....



Jim Perrin wrote:
>> It only happened on one of mine, and it was the new server I hadn't 
>> put in
>> service yet. Otherwise, I always re-generate the rndc.conf and 
>> rndc.key before
>> a server goes live. I wonder if that has anything to do with it?
> It does. The spec file for the bind rpm looks at rndc.conf in this way ->
> %verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
> /etc/rndc.conf
> Which means that it doesn't check the size of the file or the md5sum,
> but it will not replace the file if it has changed. So everyone using
> a stock rndc.conf got smacked, those who modified the file or
> generated a new key should have the appropriate .rpmnew for rndc.conf.
> The key in /etc/rndc.conf defined as 'key' is the same in all the
> rpms, so people really  should be generating their own keys. I view
> this much like the snake oil localhost cert for apache. It's fine for
> testing, but make your own. The key in /etc/rndc.key is autogenerated
> during the %post section and should be different for every install.
> 1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
> 2. Should people be using the default /etc/rndc.conf file? probably not.
> 3. Should this be a far more documented issue than it is? Yes. It's
> the configuration killing people here. If rndc.conf is included
> everywhere it shouldn't make a difference, restarting the offending
> service will reload the same .conf everything else is using and life
> moves on. If someone copies the key out of the file and uses that,
> they get smacked as has been documented here on the list.

This message has been scanned for viruses and
dangerous content by the Enhancion system Scanner
and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060911/ce020c75/attachment-0005.html>