From owner-freebsd-current@FreeBSD.ORG Wed Apr 24 14:36:03 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AEB4CC16 for ; Wed, 24 Apr 2013 14:36:03 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 4CF341831 for ; Wed, 24 Apr 2013 14:36:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id C1A342A83074 for ; Wed, 24 Apr 2013 16:35:53 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0A3VpR3HR1zA for ; Wed, 24 Apr 2013 16:35:53 +0200 (SAST) Received: from clue.co.za (unknown [41.154.88.19]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 057E02A83073 for ; Wed, 24 Apr 2013 16:35:53 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=zen.clue.co.za) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UV0nX-0006S1-QK for current@freebsd.org; Wed, 24 Apr 2013 16:35:51 +0200 To: current@freebsd.org Subject: 'service named reload' with non-default system directories. From: "Ian FREISLICH" X-Attribution: BOFH Date: Wed, 24 Apr 2013 16:35:51 +0200 Message-Id: X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 14:36:03 -0000 Hi I often run named outside of the system default directories so that amongst other things a mergemaster fumble doesn't break my name servers. This however breaks rndc because it is not imbued with the clue of where to find its key. /etc/rc.d/named does create the key file in the correct place according to the configured chroot directory. The reload section just doesn't tell rndc where to find it. Can I suggest for a minimal change: --- /usr/src/etc/rc.d/named 2013-04-15 20:17:58.000000000 +0200 +++ /etc/rc.d/named 2013-04-24 16:16:52.000000000 +0200 @@ -109,7 +109,7 @@ named_reload() { - ${command%/named}/rndc reload + ${command%/named}/rndc -k ${named_confdir}/rndc.key reload } find_pidfile() A more invasive change: The bind9 reference suggests that named loading rndc.key is for backwards compatibility. "Since the rndc.key feature is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a rndc.conf with your own key if you wish to change those things. So, I 'include "path/to/rndc.key";' in named.conf, add a controls section that uses this named key and I use the following rndc.conf: ---named.conf--- include "/etc/namedb/rndc.key"; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; }; }; ---named.conf--- ---rndc.conf--- include "/etc/namedb/rndc.key"; options { default-server localhost; default-key rndc-key; }; server localhost { key rndc-key; }; ---rndc.conf--- And the following version of the above patch: --- /usr/src/etc/rc.d/named 2013-04-15 20:17:58.000000000 +0200 +++ /etc/rc.d/named 2013-04-24 16:16:52.000000000 +0200 @@ -109,7 +109,7 @@ named_reload() { - ${command%/named}/rndc reload + ${command%/named}/rndc -c ${named_confdir}/rndc.conf reload } find_pidfile() this will allow the rc system to reload and stop named (without a kill) no matter what the configured chroot is. Ian -- Ian Freislich