Way forward with BIND 8

[Doug Barton]

On Sat, 7 Jun 2003, Matthew Dillon wrote:

>     If you install the bind9 port, and try to run rndc, you get this:
>
>     apollo:/home/dillon# rndc reload
>     rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found
>
>     To make rndc work properly you have rename rndc.conf.sample torndc.conf,
>     and you have to read the rndc.conf manual page to generate a new secret key

That's one way to do it, the other way to do it is to run rndc-confgen -a
as you described below. This is actually a better solution, since this
handles configuration, a new secret key, and proper file permissions all
in one. As for not doing any of this by default, we don't install a
named.conf file by default either. There is a lot of stuff the sysadmin
has to do in order to get named working, this is just one of them.

>     since the one in rndc.conf.sample is simply copied out of the distribution
>     and not actually secure (which is really a bad idea, even for a sample
>     file).  This is regardless of the fact that it's stupid to even require
>     a secret key for a local control program, but we can't do anything about
>     that :-).

Well, rndc can be configured for remote control too. Since by default it's
configured locally though, I decided that the easiest way to deal with it
would just be to copy the sample file. However, based on your feedback
here, I just added a pkg-message that gives some information about this
topic.

>     Additionally, the rndc-confgen program does not even appear to work,
>     at least not on my system.  If I run 'rndc-confgen -a' it just stays
>     stuck in a select() somewhere and does nothing.

http://people.freebsd.org/~dougb/randomness.html  :)

Thanks for the feedback,

Doug

-- 

    This .signature sanitized for your protection