Bug 719855 - named.root.key is not mounted in bind97-chroot
Summary: named.root.key is not mounted in bind97-chroot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind97
Version: 5.6
Hardware: All
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: Branislav Blaškovič
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-08 08:24 UTC by cdexec
Modified: 2014-12-01 15:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 04:06:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0043 0 normal SHIPPED_LIVE bind97 bug fix and enhancement update 2013-01-08 08:38:36 UTC

Description cdexec 2011-07-08 08:24:32 UTC 
Description of problem:
When using bind97 with chroot, the file named.root.key is not mounted to the chroot environment. 

Version-Release number of selected component (if applicable):
5.6

How reproducible:
Set up a plain bind97 with chroot and enable DNSSEC validation. The root key is not mounted to the chroot environment and DNSSEC validation will fail (bind97 will log an error: "named.root.key file not found").


Additional info:
A possible fix is to include /etc/named.root.key in /etc/init.d/named, i.e. change the contents of the ROOTDIR_MOUNT variable in /etc/init.d/named from

ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key'

to

ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /etc/named.root.key'

Note that only a plain installation where the root key was never loaded before and only in combination with chroot is affected.
Comment 1 cdexec 2011-07-08 08:27:14 UTC 
It might be, that this somehow relates to Bug 693788: https://bugzilla.redhat.com/show_bug.cgi?id=693788 which deals with the fact that bind97 did not contain root zone DNSKEY (but I believe this is fixed now, as /etc/named.root.key ships with bind97-9.7.0-6.P2).

Additionally, I forgot to mention that this bug was detected on CentOS.
Comment 2 Adam Tkac 2011-07-11 08:52:16 UTC 
Right you are, /etc/named.root.key should be listed in the ROOTDIR_MOUNT variable, thanks for the report.
Comment 3 RHEL Program Management 2011-09-23 00:28:45 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Program Management 2012-04-02 10:33:53 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 11 errata-xmlrpc 2013-01-08 04:06:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0043.html
Note You need to log in before you can comment on or make changes to this bug.