Description of problem: Today "yum update" replaced dnssec-conf with unbound: Installing: unbound i686 1.4.4-2.fc12 my-updates 726 k replacing dnssec-conf.noarch 1.21-8.fc12 And now BIND doesn't start anymore: # service named restart Stopping named: . [ OK ] Starting named: Error in named configuration: /etc/pki/dnssec-keys//named.dnssec.keys:1: open: /etc/pki/dnssec-keys//production/bg.conf: file not found [FAILED] My named.conf includes these lines, which dnssec-conf had previously added automatically: include "/etc/pki/dnssec-keys//named.dnssec.keys"; include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; With the exception of named.dnssec.keys, it appears that all files under /etc/pki/dnssec-keys have been wiped out. Version-Release number of selected component (if applicable): was 1.21-8.fc12 How reproducible: Always Steps to Reproduce: Run "yum update" on a system with that had the latest BIND and dnssec-conf installed.
(cc'ing package maintainer since it got assigned to 'Orphan Owner')
Same situation with the Fedora 11 update of unbound. :/ Manual install of dnssec-conf lets NAMED resume operation.
dnssec-conf package is obsolete in Fedora 13 but due misunderstanding between me and unbound maintainer the latest unbound update obsoleted dnssec-conf package as done in Fedora 13 and caused this problem. I will backport the "dnssec-conf transition trigger" from Fedora 13 to Fedora 12 bind package. It will solve the problem and correctly obsolete dnssec-conf. The trigger will automatically remove lines which points to missing files from named configuration.
bind-9.6.2-5.P2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/bind-9.6.2-5.P2.fc12
bind-9.6.2-5.P2.fc12 obsoletes dnssec-conf so when it hits update repository this problem should no longer exist. Please test it, thank you in advance.
bind-9.6.2-5.P2.fc12 appears to be working fine. Thanks!
*** Bug 606585 has been marked as a duplicate of this bug. ***
Will this be coming to FC11 also? Looks like end of maintenance is set for 2010-06-25. Would be nice to get in IMO. :)
9.6.2-5.P2.fc12.x86_64 (downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=179428, yum --enablerepo=updates-testing did not get it) did not work automatically for me. # rpm -Uvh bind*.rpm Preparando... ########################################### [100%] 1:bind-libs ########################################### [ 33%] 2:bind ########################################### [ 67%] 3:bind-utils ########################################### [100%] # cat /etc/named.conf [...] include "/etc/named.rfc1912.zones"; include "/etc/pki/dnssec-keys//named.dnssec.keys"; include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; $ ls /etc/pki/dnssec-keys/ named.dnssec.keys $ ls -l /etc/named.conf* -rw-r-----. 1 root named 1232 Fev 9 21:24 /etc/named.conf -rw-r-----. 1 root root 1232 Dez 4 2009 /etc/named.conf.bak Perhaps it did not update named.conf because I had edited it in the past (to add a few zones)? I hand-edited named.conf to comment out the last two lines and include the correct file, and it works as expected: #include "/etc/pki/dnssec-keys//named.dnssec.keys"; #include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; include "/etc/named.iscdlv.key"; But since you said it would do so automatically, I should not have had to edit it by hand.
I just ran "yum update" (thinking that perhaps triggers ran from yum instead of from rpm, and it was just waiting for the next time yum was run), and noticed my reflexes from years of using Debian-derived distributions (where you had to call dpkg directly to install a locally downloaded package instead of using apt) had confused me: [...] Executando a transação Warning: RPMDB altered outside of yum. [...] It seems I should always install from within yum, and never call rpm (except for queries) directly, as explained at http://illiterat.livejournal.com/7834.html. The trigger still seems to not have run (there is no /etc/named.conf.rpmsave), but perhaps it would had I tried to install the packages I downloaded using yum. I hope I did not break my yum databases with this mistake ;-)
(In reply to comment #9) > 9.6.2-5.P2.fc12.x86_64 (downloaded from > http://koji.fedoraproject.org/koji/buildinfo?buildID=179428, yum > --enablerepo=updates-testing did not get it) did not work automatically for me. > > # rpm -Uvh bind*.rpm > Preparando... ########################################### [100%] > 1:bind-libs ########################################### [ 33%] > 2:bind ########################################### [ 67%] > 3:bind-utils ########################################### [100%] > # cat /etc/named.conf > [...] > include "/etc/named.rfc1912.zones"; > > include "/etc/pki/dnssec-keys//named.dnssec.keys"; > include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; > $ ls /etc/pki/dnssec-keys/ > named.dnssec.keys > $ ls -l /etc/named.conf* > -rw-r-----. 1 root named 1232 Fev 9 21:24 /etc/named.conf > -rw-r-----. 1 root root 1232 Dez 4 2009 /etc/named.conf.bak > > Perhaps it did not update named.conf because I had edited it in the past (to > add a few zones)? > > I hand-edited named.conf to comment out the last two lines and include the > correct file, and it works as expected: > > #include "/etc/pki/dnssec-keys//named.dnssec.keys"; > #include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; > include "/etc/named.iscdlv.key"; > > But since you said it would do so automatically, I should not have had to edit > it by hand. Did you have dnssec-conf package installed? Or before you updated bind you had updated unbound package? If you update unbound and then bind, the trigger won't be executed because it is executed only when dnssec-conf package is removed.
(In reply to comment #11) > Did you have dnssec-conf package installed? Or before you updated bind you had > updated unbound package? If you update unbound and then bind, the trigger won't > be executed because it is executed only when dnssec-conf package is removed. Yes, for some reason I had unbound installed (I have no idea why, since I always used bind). Isn't this bug report about people who had unbound installed and upgrade every day, so unbound ended up being upgraded? I have now uninstalled unbound and its dependencies so this will not happen again in the future: Transação realizada com: Instalados rpm-4.7.2-1.fc12.x86_64 Instalados yum-3.2.27-3.fc12.noarch Pacotes alterados: Erase ldns-1.6.4-1.fc12.x86_64 Erase unbound-1.4.4-2.fc12.x86_64 Erase unbound-libs-1.4.4-2.fc12.x86_64 history info The only other reference I can find to unbound in "yum history" is this: Transação realizada com: Instalados rpm-4.7.2-1.fc12.x86_64 Instalados yum-3.2.27-3.fc12.noarch Instalados yum-presto-0.6.2-1.fc12.noarch Pacotes alterados: [...] Obsoletos dnssec-conf-1.21-8.fc12.noarch [...] Dep-Install ldns-1.6.4-1.fc12.x86_64 [...] Obsoleting unbound-1.4.4-2.fc12.x86_64 Dep-Install unbound-libs-1.4.4-2.fc12.x86_64 [...] history info Perhaps it would be a good idea to release a new version X of the bind package which always runs the trigger when upgrading from bind <X, so it will run even if you had already lost dnssec-conf due to all this confusion?
(In reply to comment #12) > Perhaps it would be a good idea to release a new version X of the bind package > which always runs the trigger when upgrading from bind <X, so it will run even > if you had already lost dnssec-conf due to all this confusion? Hm, that might be possible but I would rather avoid this approach. Main reason is the trigger modifies named.conf. General rule is "don't touch config files except you have _really_ good reason". I hope bind will hit stable repo tomorrow so it will be OK for people who haven't updated, yet.
bind-9.6.2-5.P2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update bind'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/bind-9.6.2-5.P2.fc12
*** Bug 607821 has been marked as a duplicate of this bug. ***
bind-9.6.2-5.P2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
So what is the solution for systems that got caught by the broken update that forcibly replaced dnssec-conf with unbound and thus no longer have dnssec-conf installed? The only way I can see is by manually downloading dnssec-conf-1.21-8.fc12.noarch.rpm, forcing rpm to ignore the conflict and install it, and then running "yum reinstall bind". Forcing rpm to do things is not generally recommended.
(In reply to comment #17) > So what is the solution for systems that got caught by the broken update that > forcibly replaced dnssec-conf with unbound and thus no longer have dnssec-conf > installed? The only way I can see is by manually downloading > dnssec-conf-1.21-8.fc12.noarch.rpm, forcing rpm to ignore the conflict and > install it, and then running "yum reinstall bind". Forcing rpm to do things is > not generally recommended. You could do by hand the same thing the trigger does (do a "rpm -q bind --triggers" to see the trigger code). If you do not want to run the trigger code directly, do the same edits do named.conf the trigger is supposed to do (based on a quick read of the trigger code): - Change the include of dlv.isc.org.conf to instead include /etc/named.iscdlv.key - Erase any include of named.dnssec.keys or pki/dnssec-keys.* And then restart named.
*** Bug 608362 has been marked as a duplicate of this bug. ***