Bug#169577: bind9: Ownership of /etc/bind/rndc.key is the problem.
Bruce Tulloch
Version: 1:9.5.0.dfsg.P2-4
Followup-For: Bug #169577
This bug still exists in lenny as of today (bind9/1:9.5.0.dfsg.P2-4)
despite it being reported as fixed in bind9/1:9.5.0.dfsg.P2-1.
It's easy to demonstrate:
marx:~# apt-show-versions bind9
bind9/lenny uptodate 1:9.5.0.dfsg.P2-4
First, with correct permissions we reconfigure bind9
marx:~# ls -l /etc/bind/rndc.key
-rw-r----- 1 root bind 77 Jan 8 20:29 /etc/bind/rndc.key
marx:~# dpkg-reconfigure bind9
Stopping domain name service...: bind9.
Starting domain name service...: bind9.
but now we have the wrong permissions:
marx:~# ls -l /etc/bind/rndc.key
-rw-r----- 1 bind bind 77 Jan 8 20:29 /etc/bind/rndc.key
so a restart will fail:
marx:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused
failed!
Starting domain name service...: bind9.
so we kill named, fix the permissions and we're OK again:
marx:~# pkill bind9
marx:~# chown root.bind /etc/bind/rndc.key
marx:~# /etc/init.d/bind9 start
Starting domain name service...: bind9.
marx:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind9.
Starting domain name service...: bind9.
Clearly the maintainer scripts in bind9/1:9.5.0.dfsg.P2-4 are *still*
setting the ownership permissions for /etc/bind/rndc.key incorrectly.
What is not clear to me is why ownership of bind.bind does not work.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages bind9 depends on:
ii adduser 3.110 add and remove users and groups
ii bind9utils 1:9.5.0.dfsg.P2-4 Utilities for BIND
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libbind9-40 1:9.5.0.dfsg.P2-4 BIND9 Shared Library used by BIND
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libcap2 2.11-2 support for getting/setting POSIX.
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libdns43 1:9.5.0.dfsg.P2-4 DNS Shared Library used by BIND
ii libisc44 1:9.5.0.dfsg.P2-4 ISC Shared Library used by BIND
ii libisccc40 1:9.5.0.dfsg.P2-4 Command Channel Library used by BI
ii libisccfg40 1:9.5.0.dfsg.P2-4 Config File Handling Library used
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii liblwres40 1:9.5.0.dfsg.P2-4 Lightweight Resolver Library used
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii libxml2 2.6.32.dfsg-5 GNOME XML library
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.34 Basic TCP/IP networking system
bind9 recommends no packages.
Versions of packages bind9 suggests:
ii bind9-doc 1:9.5.0.dfsg.P2-4 Documentation for BIND
ii dnsutils 1:9.5.0.dfsg.P2-4 Clients provided with BIND
ii resolvconf 1.42 name server information handler
pn ufw <none> (no description available)
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Teodor
> marx:~# ls -l /etc/bind/rndc.key
> -rw-r----- 1 root bind 77 Jan 8 20:29 /etc/bind/rndc.key
I don't have this on my host and I didn't changed any permissions:
doru@piti:~$ ls -l /etc/bind/rndc.key
-rw-r----- 1 bind bind 77 2008-04-11 12:28 /etc/bind/rndc.key
doru@piti:~$ rndc status
bash: rndc: command not found
doru@piti:~$ sudo rndc status
version: 9.5.0-P2
number of zones: 14
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
doru@piti:~$
doru@piti:~$
doru@piti:~$ apt-show-versions bind9
bind9/lenny uptodate 1:9.5.0.dfsg.P2-4
Cheers