Bug 203070 - rndc.conf change breaks working bind config
rndc.conf change breaks working bind config
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind (Show other bugs)
4.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Stransky
Ben Levenson
:
Depends On: 202012
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-18 05:39 EDT by Martin Stransky
Modified: 2007-11-16 20:14 EST (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2006-0711
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-03 11:15:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (1.74 KB, patch)
2006-08-18 05:59 EDT, Martin Stransky
no flags Details | Diff

  None (edit)
Description Martin Stransky 2006-08-18 05:39:55 EDT
+++ This bug was initially created as a clone of Bug #202012 +++

Description of problem:
A custom named.conf contains include "/etc/rndc.key"
rndc.conf prior to the U8 update also contained include "/etc/rndc.key"
The U8 update changes rndc.conf to include a hardcoded key statement instead of
/etc/rndc.key.
This results in rndc nolonger being able to authenticate itself to named.

Version-Release number of selected component (if applicable):
9.2.4-14_EL3

How reproducible:
Consistently

Steps to Reproduce:
1. Existing named.conf must contain include "/etc/rndc.key"
2. Existing /etc/rndc.conf must be unmodified (so it will be updated during the
upgrade)
3. Upgrade from 9.2.4-7_EL3 to 9.2.4-14_EL3
4. service named status
  
Actual results:
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of 
the command protocol, this host is not authorized to connect,
or the key is invalid.

Expected results:
rndc status output

Additional info:
Checking a clean install of bind-9.2.4_14_EL3 on a pristine machine that's never
seen bind before also produces a non-working config. That is one where the
default named.conf includes /etc/rndc.key but /etc/rndc.conf hardcodes a
different key.

-- Additional comment from stransky@redhat.com on 2006-08-10 08:10 EST --
Thanks for the report.

-- Additional comment from tis@foobar.fi on 2006-08-16 03:19 EST --
from bind.spec file:

#%patch1 -p1 -b .key
# This patch now in 'bind-9.2.4-5.backport.patch'

This might be true but there is no bind-9.2.4-5.backport.patch in spec.

There is: Patch9: bind-9.2.4-5_backport.patch

which doesn't include necessary bits for rndc.conf patching.

Enabling Patch1 again fixes this problem.

-- Additional comment from tis@foobar.fi on 2006-08-16 03:22 EST --
Oh. and this same bug affects rhel-4U4 users.
Comment 1 Martin Stransky 2006-08-18 05:59:13 EDT
Created attachment 134429 [details]
proposed patch
Comment 2 Martin Stransky 2006-08-18 06:02:58 EDT
bind-9.2.1-key.patch really fixes this problem, unfortunately it isn't included
in 4.4
Comment 3 Tom Diehl 2006-08-21 14:03:41 EDT
So does that mean there will be an update to fix this soon?? Essentially this
has broken all of the previously working bind configs for el3 and el4.

Yes, I know once you understand what happened, it is easy to fix but that is not
the point.
Comment 4 Milan Kerslager 2006-08-31 03:10:24 EDT
It seems that the real cause is that the key in chroot
/var/named/chroot/etc/rndc.key differ from one provided in /etc/rndc.conf.

This may be caused by a bug in pre or post scripts. They are really ugly and
very complicated.
Comment 5 RHEL Product and Program Management 2006-08-31 03:31:48 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Martin Stransky 2006-09-11 06:22:59 EDT
Fixed srpm packages (for RHEL3 and RHEL4) are here:

http://people.redhat.com/stransky/bind/

Comment 17 Red Hat Bugzilla 2006-11-03 11:15:46 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0711.html
Comment 18 Shawn Starr 2006-11-27 11:42:59 EST
The RPM package for the errata does not seem to be available. Can someone push 
this to RHN? Thanks.

Shawn.
Comment 19 Shawn Starr 2006-11-27 11:49:57 EST
Nevermind it's under 'Fastrack'
Comment 20 Milan Kerslager 2006-12-09 17:07:36 EST
For those who has broken config: copy secret from /etc/rndc.conf (this could be
a symlink to /var/named/chroot/etc/rndc.key if you have bind-chroot installed)
to the secret in /etc/rndc.conf.
Comment 21 Milan Kerslager 2007-01-11 08:16:46 EST
For those who has broken config: copy secret from /etc/rndc.conf (this could be
a symlink to /var/named/chroot/etc/rndc.key if you have bind-chroot installed)
to the secret in /etc/rndc.key (TYPO FIX).
Comment 22 Suzuki Takashi 2007-02-01 00:14:50 EST
bind-9.2.4-20.EL4 worked.

But why was this fix put into the Fastrack channel?
Shouldn't it be a normal bug fix update?

This involves a relatively severe problem for BIND administrators,
especially if dynamic and static updates are used together:
when terminating named with `service named stop',
/usr/sbin/rndc doesn't work and failsafing killproc is actually used
in the /etc/init.d/named script.
So .jnl dynamic update caches won't be flushed 
and zone files are still obsolete after the termination.
Comment 23 Martin Stransky 2007-02-01 07:47:03 EST
Will be fixed in bind-9.2.4-24.EL4 and it's on the way.
Comment 24 Issue Tracker 2007-07-04 12:18:25 EDT
Hello Uwe,

this will be fixed in bind-9.2.4-24.EL4 and it's fixed in an errata on
RHN

https://rhn.redhat.com/network/software/packages/details.pxt?pid=382408

Hence closing this issue.

Kind regards,

Steffen

Internal Status set to 'Resolved'
Status set to: Closed by Client
Resolution set to: 'RHEL 4.5'
Ticket type set to: 'Problem'

This event sent from IssueTracker by smann 
 issue 100769

Note You need to log in before you can comment on or make changes to this bug.