Bug 606478 - dnssec-conf removed by unbound update, now BIND doesn't start
Summary: dnssec-conf removed by unbound update, now BIND doesn't start
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-conf
Version: 12
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 606585 607821 608362 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-21 18:24 UTC by Jordan Russell
Modified: 2013-04-30 23:46 UTC (History)
13 users (show)

Fixed In Version: bind-9.6.2-5.P2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-25 18:11:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jordan Russell 2010-06-21 18:24:31 UTC
Description of problem:
Today "yum update" replaced dnssec-conf with unbound:

Installing:
 unbound                                    i686                         1.4.4-2.fc12                               my-updates                         726 k
     replacing  dnssec-conf.noarch 1.21-8.fc12


And now BIND doesn't start anymore:

# service named restart
Stopping named: .                                          [  OK  ]
Starting named:
Error in named configuration:
/etc/pki/dnssec-keys//named.dnssec.keys:1: open: /etc/pki/dnssec-keys//production/bg.conf: file not found
                                                           [FAILED]


My named.conf includes these lines, which dnssec-conf had previously added automatically:

include "/etc/pki/dnssec-keys//named.dnssec.keys";
include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";


With the exception of named.dnssec.keys, it appears that all files under /etc/pki/dnssec-keys have been wiped out.


Version-Release number of selected component (if applicable):
was 1.21-8.fc12

How reproducible:
Always

Steps to Reproduce:
Run "yum update" on a system with that had the latest BIND and dnssec-conf installed.

Comment 1 Jordan Russell 2010-06-21 18:36:56 UTC
(cc'ing package maintainer since it got assigned to 'Orphan Owner')

Comment 2 James Pooton 2010-06-22 22:02:27 UTC
Same situation with the Fedora 11 update of unbound. :/  Manual install of dnssec-conf lets NAMED resume operation.

Comment 3 Adam Tkac 2010-06-23 15:35:34 UTC
dnssec-conf package is obsolete in Fedora 13 but due misunderstanding between me and unbound maintainer the latest unbound update obsoleted dnssec-conf package as done in Fedora 13 and caused this problem. I will backport the "dnssec-conf transition trigger" from Fedora 13 to Fedora 12 bind package. It will solve the problem and correctly obsolete dnssec-conf. The trigger will automatically remove lines which points to missing files from named configuration.

Comment 4 Fedora Update System 2010-06-23 15:46:12 UTC
bind-9.6.2-5.P2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bind-9.6.2-5.P2.fc12

Comment 5 Adam Tkac 2010-06-23 15:56:31 UTC
bind-9.6.2-5.P2.fc12 obsoletes dnssec-conf so when it hits update repository this problem should no longer exist. Please test it, thank you in advance.

Comment 6 Jordan Russell 2010-06-23 16:28:45 UTC
bind-9.6.2-5.P2.fc12 appears to be working fine. Thanks!

Comment 7 Adam Tkac 2010-06-23 16:49:49 UTC
*** Bug 606585 has been marked as a duplicate of this bug. ***

Comment 8 James Pooton 2010-06-23 17:01:30 UTC
Will this be coming to FC11 also? Looks like end of maintenance is set for 2010-06-25.  Would be nice to get in IMO. :)

Comment 9 Cesar Eduardo Barros 2010-06-23 23:01:23 UTC
9.6.2-5.P2.fc12.x86_64 (downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=179428, yum --enablerepo=updates-testing did not get it) did not work automatically for me.

# rpm -Uvh bind*.rpm
Preparando...               ########################################### [100%]
   1:bind-libs              ########################################### [ 33%]
   2:bind                   ########################################### [ 67%]
   3:bind-utils             ########################################### [100%]
# cat /etc/named.conf
[...]
include "/etc/named.rfc1912.zones";

include "/etc/pki/dnssec-keys//named.dnssec.keys";
include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";
$ ls /etc/pki/dnssec-keys/
named.dnssec.keys
$ ls -l /etc/named.conf*
-rw-r-----. 1 root named 1232 Fev  9 21:24 /etc/named.conf
-rw-r-----. 1 root root  1232 Dez  4  2009 /etc/named.conf.bak

Perhaps it did not update named.conf because I had edited it in the past (to add a few zones)?

I hand-edited named.conf to comment out the last two lines and include the correct file, and it works as expected:

#include "/etc/pki/dnssec-keys//named.dnssec.keys";
#include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";
include "/etc/named.iscdlv.key";

But since you said it would do so automatically, I should not have had to edit it by hand.

Comment 10 Cesar Eduardo Barros 2010-06-23 23:30:19 UTC
I just ran "yum update" (thinking that perhaps triggers ran from yum instead of from rpm, and it was just waiting for the next time yum was run), and noticed my reflexes from years of using Debian-derived distributions (where you had to call dpkg directly to install a locally downloaded package instead of using apt) had confused me:

[...]
Executando a transação
Warning: RPMDB altered outside of yum.
[...]

It seems I should always install from within yum, and never call rpm (except for queries) directly, as explained at http://illiterat.livejournal.com/7834.html.

The trigger still seems to not have run (there is no /etc/named.conf.rpmsave), but perhaps it would had I tried to install the packages I downloaded using yum.

I hope I did not break my yum databases with this mistake ;-)

Comment 11 Adam Tkac 2010-06-24 08:37:55 UTC
(In reply to comment #9)
> 9.6.2-5.P2.fc12.x86_64 (downloaded from
> http://koji.fedoraproject.org/koji/buildinfo?buildID=179428, yum
> --enablerepo=updates-testing did not get it) did not work automatically for me.
> 
> # rpm -Uvh bind*.rpm
> Preparando...               ########################################### [100%]
>    1:bind-libs              ########################################### [ 33%]
>    2:bind                   ########################################### [ 67%]
>    3:bind-utils             ########################################### [100%]
> # cat /etc/named.conf
> [...]
> include "/etc/named.rfc1912.zones";
> 
> include "/etc/pki/dnssec-keys//named.dnssec.keys";
> include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";
> $ ls /etc/pki/dnssec-keys/
> named.dnssec.keys
> $ ls -l /etc/named.conf*
> -rw-r-----. 1 root named 1232 Fev  9 21:24 /etc/named.conf
> -rw-r-----. 1 root root  1232 Dez  4  2009 /etc/named.conf.bak
> 
> Perhaps it did not update named.conf because I had edited it in the past (to
> add a few zones)?
> 
> I hand-edited named.conf to comment out the last two lines and include the
> correct file, and it works as expected:
> 
> #include "/etc/pki/dnssec-keys//named.dnssec.keys";
> #include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";
> include "/etc/named.iscdlv.key";
> 
> But since you said it would do so automatically, I should not have had to edit
> it by hand.    

Did you have dnssec-conf package installed? Or before you updated bind you had updated unbound package? If you update unbound and then bind, the trigger won't be executed because it is executed only when dnssec-conf package is removed.

Comment 12 Cesar Eduardo Barros 2010-06-24 11:10:34 UTC
(In reply to comment #11)
> Did you have dnssec-conf package installed? Or before you updated bind you had
> updated unbound package? If you update unbound and then bind, the trigger won't
> be executed because it is executed only when dnssec-conf package is removed.    

Yes, for some reason I had unbound installed (I have no idea why, since I always used bind). Isn't this bug report about people who had unbound installed and upgrade every day, so unbound ended up being upgraded?

I have now uninstalled unbound and its dependencies so this will not happen again in the future:

Transação realizada com:
    Instalados   rpm-4.7.2-1.fc12.x86_64
    Instalados   yum-3.2.27-3.fc12.noarch
Pacotes alterados:
    Erase        ldns-1.6.4-1.fc12.x86_64
    Erase        unbound-1.4.4-2.fc12.x86_64
    Erase        unbound-libs-1.4.4-2.fc12.x86_64
history info

The only other reference I can find to unbound in "yum history" is this:

Transação realizada com:
    Instalados   rpm-4.7.2-1.fc12.x86_64
    Instalados   yum-3.2.27-3.fc12.noarch
    Instalados   yum-presto-0.6.2-1.fc12.noarch
Pacotes alterados:
[...]
    Obsoletos    dnssec-conf-1.21-8.fc12.noarch
[...]
    Dep-Install  ldns-1.6.4-1.fc12.x86_64
[...]
    Obsoleting   unbound-1.4.4-2.fc12.x86_64
    Dep-Install  unbound-libs-1.4.4-2.fc12.x86_64
[...]
history info

Perhaps it would be a good idea to release a new version X of the bind package which always runs the trigger when upgrading from bind <X, so it will run even if you had already lost dnssec-conf due to all this confusion?

Comment 13 Adam Tkac 2010-06-24 12:06:05 UTC
(In reply to comment #12)
> Perhaps it would be a good idea to release a new version X of the bind package
> which always runs the trigger when upgrading from bind <X, so it will run even
> if you had already lost dnssec-conf due to all this confusion?    

Hm, that might be possible but I would rather avoid this approach. Main reason is the trigger modifies named.conf. General rule is "don't touch config files except you have _really_ good reason".

I hope bind will hit stable repo tomorrow so it will be OK for people who haven't updated, yet.

Comment 14 Fedora Update System 2010-06-24 16:21:37 UTC
bind-9.6.2-5.P2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/bind-9.6.2-5.P2.fc12

Comment 15 Adam Tkac 2010-06-25 07:43:56 UTC
*** Bug 607821 has been marked as a duplicate of this bug. ***

Comment 16 Fedora Update System 2010-06-25 18:11:03 UTC
bind-9.6.2-5.P2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Robert Nichols 2010-06-26 16:32:14 UTC
So what is the solution for systems that got caught by the broken update that forcibly replaced dnssec-conf with unbound and thus no longer have dnssec-conf installed?  The only way I can see is by manually downloading dnssec-conf-1.21-8.fc12.noarch.rpm, forcing rpm to ignore the conflict and install it, and then running "yum reinstall bind".  Forcing rpm to do things is not generally recommended.

Comment 18 Cesar Eduardo Barros 2010-06-26 17:27:22 UTC
(In reply to comment #17)
> So what is the solution for systems that got caught by the broken update that
> forcibly replaced dnssec-conf with unbound and thus no longer have dnssec-conf
> installed?  The only way I can see is by manually downloading
> dnssec-conf-1.21-8.fc12.noarch.rpm, forcing rpm to ignore the conflict and
> install it, and then running "yum reinstall bind".  Forcing rpm to do things is
> not generally recommended.    

You could do by hand the same thing the trigger does (do a "rpm -q bind --triggers" to see the trigger code). If you do not want to run the trigger code directly, do the same edits do named.conf the trigger is supposed to do (based on a quick read of the trigger code):

- Change the include of dlv.isc.org.conf to instead include /etc/named.iscdlv.key
- Erase any include of named.dnssec.keys or pki/dnssec-keys.*

And then restart named.

Comment 19 Adam Tkac 2010-06-28 12:30:31 UTC
*** Bug 608362 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.