On Tue, Feb 14, 2012 at 9:17 PM, roberth <[email protected]> wrote:
> On Mon, 13 Feb 2012 22:35:15 +0100
> Bjvrn Ketelaars <[email protected]> wrote:
>
>> How and when do we automatically generate unbound-control keys? if
>> so, where should that be done?
>
> Simply don't bother?
> rndc keys aren't setup automagically either.
> The daemon will work just fine without it, let it be up to the admin
> who wants to use it.
For basic operation (read: local starting and / or stopping of the
daemon) the use of unbound-control is not necessary. One could use
/etc/rc.d/unbound for this. However, for the neat stuff [1] one needs
unbound-control and therefore signed keys.
Concerning rndc and generating shared secret. This is done by the
system startup script run by init on autoboot or after single-user.
>From /etc/rc:
if [ X"${named_flags}" != X"NO" ]; then
if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then
echo -n "rndc-confgen: generating shared secret... "
if rndc-confgen -a -t /var/named >/dev/null 2>&1;
then
chmod 0640 /var/named/etc/rndc.key \
>/dev/null 2>&1
echo done.
else
echo failed.
fi
fi
fi
The option is there, it is easy to implement and is easy to use. So,
why not make it default?
[1] http://www.rootr.net/man/man/unbound-control/8
--
Bjvrn Ketelaars
