Description of problem: When using bind97 with chroot, the file named.root.key is not mounted to the chroot environment. Version-Release number of selected component (if applicable): 5.6 How reproducible: Set up a plain bind97 with chroot and enable DNSSEC validation. The root key is not mounted to the chroot environment and DNSSEC validation will fail (bind97 will log an error: "named.root.key file not found"). Additional info: A possible fix is to include /etc/named.root.key in /etc/init.d/named, i.e. change the contents of the ROOTDIR_MOUNT variable in /etc/init.d/named from ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key' to ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /etc/named.root.key' Note that only a plain installation where the root key was never loaded before and only in combination with chroot is affected.
It might be, that this somehow relates to Bug 693788: https://bugzilla.redhat.com/show_bug.cgi?id=693788 which deals with the fact that bind97 did not contain root zone DNSKEY (but I believe this is fixed now, as /etc/named.root.key ships with bind97-9.7.0-6.P2). Additionally, I forgot to mention that this bug was detected on CentOS.
Right you are, /etc/named.root.key should be listed in the ROOTDIR_MOUNT variable, thanks for the report.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0043.html