Description of problem:

The post-update (or one of the scripts) in the bind series of rpms makes an adjustment to the named.conf configuration file to add dnssec information.  It however does it wrong when you have a complex named.conf file, specifically if you have something akin to the following:

options {
        directory "/etc/named.d";

listen-on port 53 { 140.211.167.34; 127.0.0.1; !any; };

        statistics-file "/var/log/named.stats";
        zone-statistics yes;

        allow-recursion {
                127.0.0.0/8;            # localhost
                1.0.3.0/27;             # subnet 1
                1.2.3.0/26;             # subnet 2
                1.3.4.0/27;             # subnet 3
                1.4.5.0/24;             # subnet 4
                1.5.6.0/28;             # subnet 5
                1.6.7.0/24;             # subnet 6
        };

};

Which is a perfectly valid, and sane thing to do, it mashes it into:


options {
        directory "/etc/named.d";

listen-on port 53 { 140.211.167.34; 127.0.0.1; !any; };

        statistics-file "/var/log/named.stats";
        zone-statistics yes;

        allow-recursion {
                127.0.0.0/8;            # localhost
                1.0.3.0/27;             # subnet 1
                1.2.3.0/26;             # subnet 2
                1.3.4.0/27;             # subnet 3
                1.4.5.0/24;             # subnet 4
                1.5.6.0/28;             # subnet 5
                1.6.7.0/24;             # subnet 6
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside . trust-anchor dlv.isc.org.;
};
};

Which, as you can imagine, causes no end of brokenness

Version-Release number of selected component (if applicable):


How reproducible:

Always


Steps to Reproduce:
1. Take above configuration from an older system, and upgrade
2. ???
3. Squashed named
  
Actual results:

Would expect it to place the new information *AFTER* the block and not in the middle of it

This was not present in F10, is present in F11