Bug 46586 - problems in current bind named.conf, rndc.conf
Summary: problems in current bind named.conf, rndc.conf
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: caching-nameserver
Version: 1.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Florian La Roche
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-06-29 12:40 UTC by Jonathan Kamens
Modified: 2007-04-18 16:34 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2001-07-03 20:48:38 UTC


Attachments (Terms of Use)

Description Jonathan Kamens 2001-06-29 12:40:10 UTC
/etc/rndc.conf in bind-9.1.3-0.rc2.2 creates a key named "rndckey", but
then elsewhere in the file tries to use a key named "key".  The naming
should consistently be "rndckey".

This key doesn't appear in /etc/named.conf, which I believe means that rndc
won't work.

When the postinstall script creates /etc/rndc.conf and /etc/named.conf, it
doesn't make them move 600 (which is necessary to protect the secret keys
in them) or make them owned by named.named.

Comment 1 Enrico Scholz 2001-06-29 14:56:03 UTC
I would not protect named.conf with mode 0600 but include protected key-files. E.g:

--- /etc/bind.conf ---
...
include "/etc/rndc.key";
...

---- /etc/rndc.key (mode 0640, root.named)--- 
key "key" {
   algorithm       hmac-md5; 
   ...
}


It is a little bit pity that rndc.conf is not understanding the `include'
syntax. Else the redundant key there could be removed also.


Making the files owned by named is not a good idea because user named (possibly
gained by an attack) can modify them else. Mode 0640 and owner `root.named' for
the files containing keys should be a good choice.

Comment 2 Bernhard Rosenkraenzer 2001-07-03 20:48:35 UTC
rndc.conf is fixed and rndc.key is created in bind-9.1.3-0.rc2.3.
Moving to caching-nameserver for named.conf



Comment 3 Bernhard Rosenkraenzer 2001-07-03 20:52:08 UTC
Fixed in caching-nameserver-7.2-1




Note You need to log in before you can comment on or make changes to this bug.