Description of problem: A custom named.conf contains include "/etc/rndc.key" rndc.conf prior to the U8 update also contained include "/etc/rndc.key" The U8 update changes rndc.conf to include a hardcoded key statement instead of /etc/rndc.key. This results in rndc nolonger being able to authenticate itself to named. Version-Release number of selected component (if applicable): 9.2.4-14_EL3 How reproducible: Consistently Steps to Reproduce: 1. Existing named.conf must contain include "/etc/rndc.key" 2. Existing /etc/rndc.conf must be unmodified (so it will be updated during the upgrade) 3. Upgrade from 9.2.4-7_EL3 to 9.2.4-14_EL3 4. service named status Actual results: rndc: connection to remote host closed This may indicate that the remote server is using an older version of the command protocol, this host is not authorized to connect, or the key is invalid. Expected results: rndc status output Additional info: Checking a clean install of bind-9.2.4_14_EL3 on a pristine machine that's never seen bind before also produces a non-working config. That is one where the default named.conf includes /etc/rndc.key but /etc/rndc.conf hardcodes a different key.
Thanks for the report.
from bind.spec file: #%patch1 -p1 -b .key # This patch now in 'bind-9.2.4-5.backport.patch' This might be true but there is no bind-9.2.4-5.backport.patch in spec. There is: Patch9: bind-9.2.4-5_backport.patch which doesn't include necessary bits for rndc.conf patching. Enabling Patch1 again fixes this problem.
Oh. and this same bug affects rhel-4U4 users.
Created attachment 134430 [details] proposed patch bind-9.2.1-key.patch really fixes this problem, unfortunately it isn't included in 4.4
*** Bug 208237 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0044.html