From owner-freebsd-arch@FreeBSD.ORG Sat Jun 7 15:51:07 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 219E737B401 for ; Sat, 7 Jun 2003 15:51:07 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99AAF43FE1 for ; Sat, 7 Jun 2003 15:51:04 -0700 (PDT) (envelope-from DougB@freebsd.org) Received: from master.dougb.net (12-234-22-23.client.attbi.com[12.234.22.23]) by attbi.com (rwcrmhc51) with SMTP id <200306072251030510085qo8e>; Sat, 7 Jun 2003 22:51:03 +0000 Date: Sat, 7 Jun 2003 15:51:03 -0700 (PDT) From: Doug Barton To: Matthew Dillon In-Reply-To: <200306071805.h57I5q6Y036169@apollo.backplane.com> Message-ID: <20030607150857.S81111@znfgre.qbhto.arg> References: <20030605235254.W5414@znfgre.qbhto.arg> <20030606024813.Y5414@znfgre.qbhto.arg> <20030606233358.Y15459@znfgre.qbhto.arg> <200306071805.h57I5q6Y036169@apollo.backplane.com> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-arch@freebsd.org Subject: Re: Way forward with BIND 8 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2003 22:51:07 -0000 On Sat, 7 Jun 2003, Matthew Dillon wrote: > If you install the bind9 port, and try to run rndc, you get this: > > apollo:/home/dillon# rndc reload > rndc: neither /usr/local/etc/rndc.conf nor /usr/local/etc/rndc.key was found > > To make rndc work properly you have rename rndc.conf.sample torndc.conf, > and you have to read the rndc.conf manual page to generate a new secret key That's one way to do it, the other way to do it is to run rndc-confgen -a as you described below. This is actually a better solution, since this handles configuration, a new secret key, and proper file permissions all in one. As for not doing any of this by default, we don't install a named.conf file by default either. There is a lot of stuff the sysadmin has to do in order to get named working, this is just one of them. > since the one in rndc.conf.sample is simply copied out of the distribution > and not actually secure (which is really a bad idea, even for a sample > file). This is regardless of the fact that it's stupid to even require > a secret key for a local control program, but we can't do anything about > that :-). Well, rndc can be configured for remote control too. Since by default it's configured locally though, I decided that the easiest way to deal with it would just be to copy the sample file. However, based on your feedback here, I just added a pkg-message that gives some information about this topic. > Additionally, the rndc-confgen program does not even appear to work, > at least not on my system. If I run 'rndc-confgen -a' it just stays > stuck in a select() somewhere and does nothing. http://people.freebsd.org/~dougb/randomness.html :) Thanks for the feedback, Doug -- This .signature sanitized for your protection