Red Hat Bugzilla – Bug 71302
upgrading to errata packages blows away /etc/rndc.key if rndc.conf is modified
Last modified: 2007-04-18 12:45:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020805
Description of problem:
When upgrading to the new errata packages for bind, my /etc/rndc.key file got
overwritten with the last 4 lines of /etc/rndc.conf. This wouldn't have been so
bad if I hadn't modified /etc/rndc.conf ...
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.modify rndc.conf to add something to the end of the file
2.install bind errata (bind-9.2.1-1.7x.2.i386.rpm)
Actual Results: rndc.key gets overwritten with the last 4 lines of rndc.conf
(which may not be a valid "key" section).
Expected Results: rndc.key stays the same.
I had been having some trouble getting the rndc command to work, so had played
around with the config files a bit.
I eventually got it working (added the missing include "/etc/rndc.key"; line in
named.conf). While trying to fix it, I also modified the rndc.conf file
(changed it to use an include statement like in named.conf -- which seemed like
a good idea to ensure that named and rndc were using the same key).
After applying the errata update, the rndc.key file contained the following:
--- Cut here ---
--- Cut here ---
By the way, have you considered structuring the config files this way? (an
include statement in both named.conf and rndc.conf). This way it wouldn't be
necessary to restrict read access to /etc/rndc.conf (since the vulnerable data
would only be in /etc/rndc.key).
Fixed in bind-9.2.1-14
rndc.key is a totally separate file now.