-- Best Regards ---- My Chaos: https://n23.appspot.com vi /etc/rc: ... if [ X"${named_flags}" != X"NO" ]; then if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then echo -n "rndc-confgen: generating new shared secret... " if /usr/sbin/rndc-confgen -a -t /var/named >/dev/null 2>&1; then chmod 0640 /var/named/etc/rndc.key >/dev/null 2>&1 echo done. else echo failed. fi fi
echo 'starting named'; named $named_flags fi ... On Thu, Nov 13, 2008 at 14:08, 23号 <[EMAIL PROTECTED]> wrote: > vi /etc/rc: > .. > if [ X"${named_flags}" != X"NO" ]; then > if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then > echo -n "rndc-confgen: generating new shared secret... " > if /usr/sbin/rndc-confgen -a -t /var/named >/dev/null 2>&1; > then > chmod 0640 /var/named/etc/rndc.key >/dev/null 2>&1 > echo done. > else > echo failed. > fi > fi > > echo 'starting named'; named $named_flags > fi > ... > > -- > Best Regards > ---- > My Chaos: https://n23.appspot.com > > > > On Wed, Nov 12, 2008 at 14:17, Woodchuck <[EMAIL PROTECTED]> wrote: >> On Tue, 11 Nov 2008, Don Jackson wrote: >> >>> Today I began testing named on a freshly installed OpenBSD 4.4 amd64 >>> machine, using my old named.conf file from 4.3 (which was still running >>> named version 9.4.2) >>> >>> When the machine first boots after the install, /etc/rc determines there is >>> no rndc.key, and generates one: >>> >>> rndc-confgen: generating new shared secret... done. >>> starting named >>> >>> >>> Here are the owner, group, and file modes of the two different copies of >>> rndc.key that are generated: >>> >>> # ls -lAF /etc/rndc.key /var/named/etc/rndc.key >>> -rw------- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key >>> -rw-r----- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key >>> >>> >>> named only cares about the rndc.key in /var/named/etc >> >> Right. But later, rndc will use the /etc version. So you need >> both, and the permissions you show are sane ones. >> >>> Looking at the logs: /var/log/daemon, one can see: >>> >>> Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission >>> denied >>> Nov 11 12:24:10 svn01 named[142]: couldn't add command channel >>> 127.0.0.1#953: >>> permission denied >>> >>> Here is my workaround: >>> >>> # chown root:named /var/named/etc/rndc.key >>> # ls -lAF /var/named/etc/rndc.key >>> -rw-r----- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key >>> >>> >>> Should /etc/rc set the group ownership of /var/named/etc/rndc.key? >>> >>> Comments? >> >> I think rndc.key should pick up the named group from the ownerships >> and permissions on /var/named/etc. >> >> /var/named/etc should be owned by root.named and have permissions 750. >> >> I bet your /var/named/etc is owned by root.wheel. >> >> Dave