Way forward with BIND 8
Matthew Dillon
dillon at apollo.backplane.com
Sat Jun 7 11:05:54 PDT 2003
:
:On Fri, 6 Jun 2003, Matthew Dillon wrote:
:
:> There are two issues with a changeover to bind-9. First, the bind-9
:> port does not properly install the new encrypted command/management
:> system (the equivalent to ndc in bind-8),
:
:Can you elaborate on this? What does the port do wrong, or what should it
:do differently?
:
:Doug
If you install the bind9 port, and try to run rndc, you get this:
apollo:/home/dillon# rndc reload
rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found
To make rndc work properly you have rename rndc.conf.sample to rndc.conf,
and you have to read the rndc.conf manual page to generate a new secret key
since the one in rndc.conf.sample is simply copied out of the distribution
and not actually secure (which is really a bad idea, even for a sample
file). This is regardless of the fact that it's stupid to even require
a secret key for a local control program, but we can't do anything about
that :-).
Additionally, the rndc.conf.sample file is globally readable by default,
and most sysops are likely to install an rndc.conf file that is also
globally readable by default... a real bad idea.
Additionally, the rndc-confgen program does not even appear to work,
at least not on my system. If I run 'rndc-confgen -a' it just stays
stuck in a select() somewhere and does nothing.
All of these operations should be performed by the port installation
process. There is no need to force the sysop to copy and cleanup the
rndc.conf file if the file did not previously exist on the machine, and
certainly no need to force the sysop to generate a random key just to
make rndc work.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the freebsd-arch
mailing list