From owner-freebsd-arch@FreeBSD.ORG Sat Jun 7 11:05:53 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2BDD37B40E; Sat, 7 Jun 2003 11:05:53 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13C6F43FA3; Sat, 7 Jun 2003 11:05:53 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.9/8.12.6) with ESMTP id h57I5qVI036170; Sat, 7 Jun 2003 11:05:52 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9/8.12.6/Submit) id h57I5q6Y036169; Sat, 7 Jun 2003 11:05:52 -0700 (PDT) Date: Sat, 7 Jun 2003 11:05:52 -0700 (PDT) From: Matthew Dillon Message-Id: <200306071805.h57I5q6Y036169@apollo.backplane.com> To: Doug Barton References: <20030605235254.W5414@znfgre.qbhto.arg> <20030606024813.Y5414@znfgre.qbhto.arg> <20030606233358.Y15459@znfgre.qbhto.arg> cc: freebsd-arch@freebsd.org Subject: Re: Way forward with BIND 8 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2003 18:05:54 -0000 : :On Fri, 6 Jun 2003, Matthew Dillon wrote: : :> There are two issues with a changeover to bind-9. First, the bind-9 :> port does not properly install the new encrypted command/management :> system (the equivalent to ndc in bind-8), : :Can you elaborate on this? What does the port do wrong, or what should it :do differently? : :Doug If you install the bind9 port, and try to run rndc, you get this: apollo:/home/dillon# rndc reload rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found To make rndc work properly you have rename rndc.conf.sample to rndc.conf, and you have to read the rndc.conf manual page to generate a new secret key since the one in rndc.conf.sample is simply copied out of the distribution and not actually secure (which is really a bad idea, even for a sample file). This is regardless of the fact that it's stupid to even require a secret key for a local control program, but we can't do anything about that :-). Additionally, the rndc.conf.sample file is globally readable by default, and most sysops are likely to install an rndc.conf file that is also globally readable by default... a real bad idea. Additionally, the rndc-confgen program does not even appear to work, at least not on my system. If I run 'rndc-confgen -a' it just stays stuck in a select() somewhere and does nothing. All of these operations should be performed by the port installation process. There is no need to force the sysop to copy and cleanup the rndc.conf file if the file did not previously exist on the machine, and certainly no need to force the sysop to generate a random key just to make rndc work. -Matt Matthew Dillon