Bug 71302

Summary: upgrading to errata packages blows away /etc/rndc.key if rndc.conf is modified
Product: [Retired] Red Hat Linux Reporter: James Henstridge <james>
Component: bindAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-01 19:54:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Henstridge 2002-08-12 09:20:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020805

Description of problem:
When upgrading to the new errata packages for bind, my /etc/rndc.key file got
overwritten with the last 4 lines of /etc/rndc.conf.  This wouldn't have been so
bad if I hadn't modified /etc/rndc.conf ...

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.modify rndc.conf to add something to the end of the file
2.install bind errata (bind-9.2.1-1.7x.2.i386.rpm)

	

Actual Results:  rndc.key gets overwritten with the last 4 lines of rndc.conf
(which may not be a valid "key" section).

Expected Results:  rndc.key stays the same.

Additional info:

I had been having some trouble getting the rndc command to work, so had played
around with the config files a bit.

I eventually got it working (added the missing include "/etc/rndc.key"; line in
named.conf).  While trying to fix it, I also modified the rndc.conf file
(changed it to use an include statement like in named.conf -- which seemed like
a good idea to ensure that named and rndc were using the same key).

After applying the errata update, the rndc.key file contained the following:
--- Cut here ---
};

include "/etc/rndc.key";

--- Cut here ---

By the way, have you considered structuring the config files this way? (an
include statement in both named.conf and rndc.conf).  This way it wouldn't be
necessary to restrict read access to /etc/rndc.conf (since the vulnerable data
would only be in /etc/rndc.key).
Comment 1 Daniel Walsh 2003-01-07 16:09:22 UTC 
Fixed in  bind-9.2.1-14

rndc.key is a totally separate file now.

Dan