Bug 46586 - problems in current bind named.conf, rndc.conf
problems in current bind named.conf, rndc.conf
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: caching-nameserver (Show other bugs)
1.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-29 08:40 EDT by Jonathan Kamens
Modified: 2007-04-18 12:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-03 16:48:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Kamens 2001-06-29 08:40:10 EDT
/etc/rndc.conf in bind-9.1.3-0.rc2.2 creates a key named "rndckey", but
then elsewhere in the file tries to use a key named "key".  The naming
should consistently be "rndckey".

This key doesn't appear in /etc/named.conf, which I believe means that rndc
won't work.

When the postinstall script creates /etc/rndc.conf and /etc/named.conf, it
doesn't make them move 600 (which is necessary to protect the secret keys
in them) or make them owned by named.named.
Comment 1 Enrico Scholz 2001-06-29 10:56:03 EDT
I would not protect named.conf with mode 0600 but include protected key-files. E.g:

--- /etc/bind.conf ---
...
include "/etc/rndc.key";
...

---- /etc/rndc.key (mode 0640, root.named)--- 
key "key" {
   algorithm       hmac-md5; 
   ...
}


It is a little bit pity that rndc.conf is not understanding the `include'
syntax. Else the redundant key there could be removed also.


Making the files owned by named is not a good idea because user named (possibly
gained by an attack) can modify them else. Mode 0640 and owner `root.named' for
the files containing keys should be a good choice.
Comment 2 Bernhard Rosenkraenzer 2001-07-03 16:48:35 EDT
rndc.conf is fixed and rndc.key is created in bind-9.1.3-0.rc2.3.
Moving to caching-nameserver for named.conf

Comment 3 Bernhard Rosenkraenzer 2001-07-03 16:52:08 EDT
Fixed in caching-nameserver-7.2-1


Note You need to log in before you can comment on or make changes to this bug.