Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 7 Jun 2003 11:05:52 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Doug Barton <DougB@freebsd.org>
Cc:        freebsd-arch@freebsd.org
Subject:   Re: Way forward with BIND 8
Message-ID:  <200306071805.h57I5q6Y036169@apollo.backplane.com>
References:  <20030605235254.W5414@znfgre.qbhto.arg> <20030606024813.Y5414@znfgre.qbhto.arg> <20030606233358.Y15459@znfgre.qbhto.arg>
next in thread | previous in thread | raw e-mail | index | archive | help 

:
:On Fri, 6 Jun 2003, Matthew Dillon wrote:
:
:>     There are two issues with a changeover to bind-9.  First, the bind-9
:>     port does not properly install the new encrypted command/management
:>     system (the equivalent to ndc in bind-8),
:
:Can you elaborate on this? What does the port do wrong, or what should it
:do differently?
:
:Doug

    If you install the bind9 port, and try to run rndc, you get this:

    apollo:/home/dillon# rndc reload
    rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found

    To make rndc work properly you have rename rndc.conf.sample to rndc.conf,
    and you have to read the rndc.conf manual page to generate a new secret key
    since the one in rndc.conf.sample is simply copied out of the distribution
    and not actually secure (which is really a bad idea, even for a sample
    file).  This is regardless of the fact that it's stupid to even require
    a secret key for a local control program, but we can't do anything about
    that :-). 

    Additionally, the rndc.conf.sample file is globally readable by default,
    and most sysops are likely to install an rndc.conf file that is also
    globally readable by default... a real bad idea.

    Additionally, the rndc-confgen program does not even appear to work,
    at least not on my system.  If I run 'rndc-confgen -a' it just stays
    stuck in a select() somewhere and does nothing.

    All of these operations should be performed by the port installation
    process.  There is no need to force the sysop to copy and cleanup the
    rndc.conf file if the file did not previously exist on the machine, and
    certainly no need to force the sysop to generate a random key just to
    make rndc work.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306071805.h57I5q6Y036169>