[CentOS] Re: Yum update to 4.4 stamps all over rndc.conf

Mon Sep 11 22:29:04 UTC 2006
Peter Farrow <peter at farrows.org>

Hi There,

I was not using a stock rndc.conf file, it had references to my own 
generated external key file

snip....
options {
        default-server  localhost;
        default-key     "farrowkey";
};

server localhost {
        key     "farrowkey";
};

include "/etc/farrowkey";
snip....

It still blew it away on both my own nameservers....

Regards

Pete



Jim Perrin wrote:
>> It only happened on one of mine, and it was the new server I hadn't 
>> put in
>> service yet. Otherwise, I always re-generate the rndc.conf and 
>> rndc.key before
>> a server goes live. I wonder if that has anything to do with it?
>
> It does. The spec file for the bind rpm looks at rndc.conf in this way ->
> %verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
> /etc/rndc.conf
>
> Which means that it doesn't check the size of the file or the md5sum,
> but it will not replace the file if it has changed. So everyone using
> a stock rndc.conf got smacked, those who modified the file or
> generated a new key should have the appropriate .rpmnew for rndc.conf.
>
> The key in /etc/rndc.conf defined as 'key' is the same in all the
> rpms, so people really  should be generating their own keys. I view
> this much like the snake oil localhost cert for apache. It's fine for
> testing, but make your own. The key in /etc/rndc.key is autogenerated
> during the %post section and should be different for every install.
>
> 1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
> 2. Should people be using the default /etc/rndc.conf file? probably not.
> 3. Should this be a far more documented issue than it is? Yes. It's
> the configuration killing people here. If rndc.conf is included
> everywhere it shouldn't make a difference, restarting the offending
> service will reload the same .conf everything else is using and life
> moves on. If someone copies the key out of the file and uses that,
> they get smacked as has been documented here on the list.
>
>

-- 
This message has been scanned for viruses and
dangerous content by the Enhancion system Scanner
and is believed to be clean.
http://www.enhancion.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060911/ce020c75/attachment-0005.html>