Bug 719855 - named.root.key is not mounted in bind97-chroot
named.root.key is not mounted in bind97-chroot
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind97 (Show other bugs)
5.6
All Unspecified
medium Severity medium
: rc
: ---
Assigned To: Adam Tkac
Branislav Blaškovič
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-08 04:24 EDT by cdexec
Modified: 2014-12-01 10:25 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 23:06:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cdexec 2011-07-08 04:24:32 EDT
Description of problem:
When using bind97 with chroot, the file named.root.key is not mounted to the chroot environment. 

Version-Release number of selected component (if applicable):
5.6

How reproducible:
Set up a plain bind97 with chroot and enable DNSSEC validation. The root key is not mounted to the chroot environment and DNSSEC validation will fail (bind97 will log an error: "named.root.key file not found").


Additional info:
A possible fix is to include /etc/named.root.key in /etc/init.d/named, i.e. change the contents of the ROOTDIR_MOUNT variable in /etc/init.d/named from

ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key'

to

ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /etc/named.root.key'

Note that only a plain installation where the root key was never loaded before and only in combination with chroot is affected.
Comment 1 cdexec 2011-07-08 04:27:14 EDT
It might be, that this somehow relates to Bug 693788: https://bugzilla.redhat.com/show_bug.cgi?id=693788 which deals with the fact that bind97 did not contain root zone DNSKEY (but I believe this is fixed now, as /etc/named.root.key ships with bind97-9.7.0-6.P2).

Additionally, I forgot to mention that this bug was detected on CentOS.
Comment 2 Adam Tkac 2011-07-11 04:52:16 EDT
Right you are, /etc/named.root.key should be listed in the ROOTDIR_MOUNT variable, thanks for the report.
Comment 3 RHEL Product and Program Management 2011-09-22 20:28:45 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2012-04-02 06:33:53 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 11 errata-xmlrpc 2013-01-07 23:06:07 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0043.html

Note You need to log in before you can comment on or make changes to this bug.