Re: [CentOS] Re: Yum update to 4.4 stamps all over rndc.conf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hi There,

I was not using a stock rndc.conf file, it had references to my own generated external key file

snip....
options {
        default-server  localhost;
        default-key     "farrowkey";
};

server localhost {
        key     "farrowkey";
};

include "/etc/farrowkey";
snip....

It still blew it away on both my own nameservers....

Regards

Pete



Jim Perrin wrote:
It only happened on one of mine, and it was the new server I hadn't put in
service yet. Otherwise, I always re-generate the rndc.conf and rndc.key before
a server goes live. I wonder if that has anything to do with it?

It does. The spec file for the bind rpm looks at rndc.conf in this way ->
%verify(not size,not md5) %config(noreplace) %attr(0640,root,named)
/etc/rndc.conf

Which means that it doesn't check the size of the file or the md5sum,
but it will not replace the file if it has changed. So everyone using
a stock rndc.conf got smacked, those who modified the file or
generated a new key should have the appropriate .rpmnew for rndc.conf.

The key in /etc/rndc.conf defined as 'key' is the same in all the
rpms, so people really  should be generating their own keys. I view
this much like the snake oil localhost cert for apache. It's fine for
testing, but make your own. The key in /etc/rndc.key is autogenerated
during the %post section and should be different for every install.

1. Should rndc.conf be replaced the way it is? IMNSHO, yes.
2. Should people be using the default /etc/rndc.conf file? probably not.
3. Should this be a far more documented issue than it is? Yes. It's
the configuration killing people here. If rndc.conf is included
everywhere it shouldn't make a difference, restarting the offending
service will reload the same .conf everything else is using and life
moves on. If someone copies the key out of the file and uses that,
they get smacked as has been documented here on the list.



--
This message has been scanned for viruses and
dangerous content by the Enhancion system scanner,
and is believed to be clean. 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux