Bug 203070

Summary: rndc.conf change breaks working bind config
Product: Red Hat Enterprise Linux 4 Reporter: Martin Stransky <stransky>
Component: bindAssignee: Martin Stransky <stransky>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: Colin.Simpson, me, milan.kerslager, nalin, redbugme3210, suzuki-t, ubeck
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0711 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-03 16:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 202012    
Bug Blocks:    
Attachments:
Description Flags
proposed patch none

Description Martin Stransky 2006-08-18 09:39:55 UTC 
+++ This bug was initially created as a clone of Bug #202012 +++

Description of problem:
A custom named.conf contains include "/etc/rndc.key"
rndc.conf prior to the U8 update also contained include "/etc/rndc.key"
The U8 update changes rndc.conf to include a hardcoded key statement instead of
/etc/rndc.key.
This results in rndc nolonger being able to authenticate itself to named.

Version-Release number of selected component (if applicable):
9.2.4-14_EL3

How reproducible:
Consistently

Steps to Reproduce:
1. Existing named.conf must contain include "/etc/rndc.key"
2. Existing /etc/rndc.conf must be unmodified (so it will be updated during the
upgrade)
3. Upgrade from 9.2.4-7_EL3 to 9.2.4-14_EL3
4. service named status
  
Actual results:
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of 
the command protocol, this host is not authorized to connect,
or the key is invalid.

Expected results:
rndc status output

Additional info:
Checking a clean install of bind-9.2.4_14_EL3 on a pristine machine that's never
seen bind before also produces a non-working config. That is one where the
default named.conf includes /etc/rndc.key but /etc/rndc.conf hardcodes a
different key.

-- Additional comment from stransky on 2006-08-10 08:10 EST --
Thanks for the report.

-- Additional comment from tis on 2006-08-16 03:19 EST --
from bind.spec file:

#%patch1 -p1 -b .key
# This patch now in 'bind-9.2.4-5.backport.patch'

This might be true but there is no bind-9.2.4-5.backport.patch in spec.

There is: Patch9: bind-9.2.4-5_backport.patch

which doesn't include necessary bits for rndc.conf patching.

Enabling Patch1 again fixes this problem.

-- Additional comment from tis on 2006-08-16 03:22 EST --
Oh. and this same bug affects rhel-4U4 users.
Comment 1 Martin Stransky 2006-08-18 09:59:13 UTC 
Created attachment 134429 [details]
proposed patch
Comment 2 Martin Stransky 2006-08-18 10:02:58 UTC 
bind-9.2.1-key.patch really fixes this problem, unfortunately it isn't included
in 4.4
Comment 3 Tom Diehl 2006-08-21 18:03:41 UTC 
So does that mean there will be an update to fix this soon?? Essentially this
has broken all of the previously working bind configs for el3 and el4.

Yes, I know once you understand what happened, it is easy to fix but that is not
the point.
Comment 4 Milan Kerslager 2006-08-31 07:10:24 UTC 
It seems that the real cause is that the key in chroot
/var/named/chroot/etc/rndc.key differ from one provided in /etc/rndc.conf.

This may be caused by a bug in pre or post scripts. They are really ugly and
very complicated.
Comment 5 RHEL Program Management 2006-08-31 07:31:48 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Martin Stransky 2006-09-11 10:22:59 UTC 
Fixed srpm packages (for RHEL3 and RHEL4) are here:

http://people.redhat.com/stransky/bind/
Comment 17 Red Hat Bugzilla 2006-11-03 16:15:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0711.html
Comment 18 Shawn Starr 2006-11-27 16:42:59 UTC 
The RPM package for the errata does not seem to be available. Can someone push 
this to RHN? Thanks.

Shawn.
Comment 19 Shawn Starr 2006-11-27 16:49:57 UTC 
Nevermind it's under 'Fastrack'
Comment 20 Milan Kerslager 2006-12-09 22:07:36 UTC 
For those who has broken config: copy secret from /etc/rndc.conf (this could be
a symlink to /var/named/chroot/etc/rndc.key if you have bind-chroot installed)
to the secret in /etc/rndc.conf.
Comment 21 Milan Kerslager 2007-01-11 13:16:46 UTC 
For those who has broken config: copy secret from /etc/rndc.conf (this could be
a symlink to /var/named/chroot/etc/rndc.key if you have bind-chroot installed)
to the secret in /etc/rndc.key (TYPO FIX).
Comment 22 Suzuki Takashi 2007-02-01 05:14:50 UTC 
bind-9.2.4-20.EL4 worked.

But why was this fix put into the Fastrack channel?
Shouldn't it be a normal bug fix update?

This involves a relatively severe problem for BIND administrators,
especially if dynamic and static updates are used together:
when terminating named with `service named stop',
/usr/sbin/rndc doesn't work and failsafing killproc is actually used
in the /etc/init.d/named script.
So .jnl dynamic update caches won't be flushed 
and zone files are still obsolete after the termination.
Comment 23 Martin Stransky 2007-02-01 12:47:03 UTC 
Will be fixed in bind-9.2.4-24.EL4 and it's on the way.
Comment 24 Issue Tracker 2007-07-04 16:18:25 UTC 
Hello Uwe,

this will be fixed in bind-9.2.4-24.EL4 and it's fixed in an errata on
RHN

https://rhn.redhat.com/network/software/packages/details.pxt?pid=382408

Hence closing this issue.

Kind regards,

Steffen

Internal Status set to 'Resolved'
Status set to: Closed by Client
Resolution set to: 'RHEL 4.5'
Ticket type set to: 'Problem'

This event sent from IssueTracker by smann 
 issue 100769