330591 – net-dns/bind-9.7.1_p2: upgrade from net-dns/bind-9.6.1_p3 broke installation

Bug 330591 - net-dns/bind-9.7.1_p2: upgrade from net-dns/bind-9.6.1_p3 broke installation

Summary: net-dns/bind-9.7.1_p2: upgrade from net-dns/bind-9.6.1_p3 broke installation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	BIND Maintainers (DISABLED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-07-31 11:45 UTC by Martin Mokrejš
Modified:	2010-08-26 16:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Mokrejš 2010-07-31 11:45:35 UTC

Jun 10 19:02:19 fold named[1939]: starting BIND 9.6.1-P3 -u named
Jun 10 19:02:19 fold named[1939]: built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstate
dir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--without-idn' '--disable-ipv6' '--without-libxml2' '--enable-linux-caps' '--enable-threads' '--with-randomdev=
/dev/random' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=nocona' 'LDFLAGS=-Wl,-O1'
Jun 10 19:02:19 fold named[1939]: adjusted limit on open files from 1024 to 1048576
Jun 10 19:02:19 fold named[1939]: found 4 CPUs, using 4 worker threads
Jun 10 19:02:19 fold named[1939]: using up to 4096 sockets
Jun 10 19:02:19 fold named[1939]: loading configuration from '/etc/bind/named.conf'
Jun 10 19:02:19 fold named[1939]: using default UDP/IPv4 port range: [1024, 65535]
Jun 10 19:02:19 fold named[1939]: using default UDP/IPv6 port range: [1024, 65535]
Jun 10 19:02:19 fold named[1939]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 10 19:02:19 fold named[1939]: listening on IPv4 interface eth0, 195.113.57.32#53
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 0.IN-ADDR.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: D.F.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 8.E.F.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: A.E.F.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: automatic empty zone: B.E.F.IP6.ARPA
Jun 10 19:02:19 fold named[1939]: command channel listening on 127.0.0.1#953
Jun 10 19:02:19 fold named[1939]: zone 127.in-addr.arpa/IN: loaded serial 2008122601
Jun 10 19:02:19 fold named[1939]: zone localhost/IN: loaded serial 2008122601
Jun 10 19:02:19 fold named[1939]: zone iresite.org/IN: loaded serial 2009120921
Jun 10 19:02:19 fold named[1939]: zone iresite.org/IN: sending notifies (serial 2009120921)
Jun 10 19:02:19 fold named[1939]: running





# find / -name chroot
/bin/chroot
/var/lib/openntpd/chroot
/usr/bin/chroot
# cat /etc/conf.d/named 
# Set various named options here.
#
OPTIONS=""

# Set this to the number of processors you want bind to use.
# Leave this unchanged if you want bind to automatically detect the number
#CPU="1"

# If you wish to run bind in a chroot:
# 1) un-comment the CHROOT= assignment, below. You may use
#    a different chroot directory but MAKE SURE it's empty.
# 2) run: emerge --config =<bind-version>
#
CHROOT="/chroot/dns"

# RNDC needs to be told what server we're using sometimes.
#SERVER="-s 127.0.0.1"
# rndc key to use
RNDC_KEY="${CHROOT}/etc/bind/rndc.key"

# Default pid file location
PIDFILE="${CHROOT}/var/run/named/named.pid"

# Scheduling priority: 19 is the lowest and -20 is the highest.
#
NAMED_NICELEVEL="0"
# mkdir -p /chroot/dns
# ls -laR /chroot    
/chroot:
total 12
drwxr-xr-x  3 root root  4096 Jul 31 13:08 .
drwxr-xr-x 27 root root  4096 Jul 31 13:08 ..
drwxr-xr-x  5 root named 4096 Jul 31 13:11 dns

/chroot/dns:
total 20
drwxr-xr-x 5 root named 4096 Jul 31 13:11 .
drwxr-xr-x 3 root root  4096 Jul 31 13:08 ..
drwxr-xr-x 2 root root  4096 Jul 31 13:11 dev
drwxr-xr-x 3 root root  4096 Jul 31 13:11 etc
drwxr-xr-x 5 root root  4096 Jul 31 13:11 var

/chroot/dns/dev:
total 8
drwxr-xr-x 2 root root  4096 Jul 31 13:11 .
drwxr-xr-x 5 root named 4096 Jul 31 13:11 ..
crw-rw-rw- 1 root root  1, 3 Jul 31 13:11 null
crw-rw-rw- 1 root root  1, 8 Jul 31 13:11 random
crw-rw-rw- 1 root root  1, 5 Jul 31 13:11 zero

/chroot/dns/etc:
total 16
drwxr-xr-x 3 root root  4096 Jul 31 13:11 .
drwxr-xr-x 5 root named 4096 Jul 31 13:11 ..
drwxr-x--- 2 root named 4096 Jul 31 13:11 bind
-rw-r--r-- 1 root root  2102 Jul 31 13:11 localtime

/chroot/dns/etc/bind:
total 8
drwxr-x--- 2 root named 4096 Jul 31 13:11 .
drwxr-xr-x 3 root root  4096 Jul 31 13:11 ..

/chroot/dns/var:
total 20
drwxr-xr-x 5 root root  4096 Jul 31 13:11 .
drwxr-xr-x 5 root named 4096 Jul 31 13:11 ..
drwxrwx--- 2 root named 4096 Jul 31 13:11 bind
drwxr-xr-x 3 root root  4096 Jul 31 13:11 log
drwxr-xr-x 3 root root  4096 Jul 31 13:11 run

/chroot/dns/var/bind:
total 8
drwxrwx--- 2 root named 4096 Jul 31 13:11 .
drwxr-xr-x 5 root root  4096 Jul 31 13:11 ..

/chroot/dns/var/log:
total 12
drwxr-xr-x 3 root root  4096 Jul 31 13:11 .
drwxr-xr-x 5 root root  4096 Jul 31 13:11 ..
drwxrwx--- 2 root named 4096 Jul 31 13:11 named

/chroot/dns/var/log/named:
total 8
drwxrwx--- 2 root named 4096 Jul 31 13:11 .
drwxr-xr-x 3 root root  4096 Jul 31 13:11 ..

/chroot/dns/var/run:
total 12
drwxr-xr-x 3 root root  4096 Jul 31 13:11 .
drwxr-xr-x 5 root root  4096 Jul 31 13:11 ..
drwxrwx--- 2 root named 4096 Jul 31 13:11 named

/chroot/dns/var/run/named:
total 8
drwxrwx--- 2 root named 4096 Jul 31 13:11 .
drwxr-xr-x 3 root root  4096 Jul 31 13:11 ..
#


# /etc/init.d/named start
 * Caching service dependencies ...                                                                                                                                                                                             [ ok ]
 * Starting chrooted named ...
 * Mounting chroot dirs
 * mounting /etc/bind to /chroot/dns/etc/bind
 * mounting /var/bind to /chroot/dns/var/bind
 * mounting /var/log/named to /chroot/dns/var/log/named                                                                                                                                                                         [ !! ]
 * ERROR: named failed to start
# ls -la /var/log/named
total 8
drwxr-xr-x  2 named named 4096 Nov 10  2009 .
drwxr-xr-x 13 root  root  4096 Jun 10 19:02 ..
# ls -la /chroot/dns/var/bind
total 20
drwxr-xr-x 4 named named 4096 Jul 31 11:56 .
drwxr-xr-x 5 root  root  4096 Jul 31 13:11 ..
-rw-r----- 1 root  named 2941 Jul 31 11:56 named.cache
drwxr-xr-x 2 named named 4096 Jul 31 11:56 pri
lrwxrwxrwx 1 root  root    21 Jul 31 11:56 root.cache -> /var/bind/named.cache
drwxr-xr-x 2 named named 4096 Jul 31 11:56 sec
#


Jul 31 13:30:05 fold named[3120]: starting BIND 9.7.1-P2 -u named -t /chroot/dns
Jul 31 13:30:05 fold named[3120]: built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstate
dir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--without-idn' '--disable-ipv6' '--without-libxml2' '--without-gssapi' '--enable-linux-caps' '--enable-threads'
 '--with-randomdev=/dev/random' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=nocona' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
Jul 31 13:30:05 fold named[3120]: adjusted limit on open files from 1024 to 1048576
Jul 31 13:30:05 fold named[3120]: found 4 CPUs, using 4 worker threads
Jul 31 13:30:05 fold named[3120]: using up to 4096 sockets
Jul 31 13:30:05 fold named[3120]: loading configuration from '/etc/bind/named.conf'
Jul 31 13:30:05 fold named[3120]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Jul 31 13:30:05 fold named[3120]: using default UDP/IPv4 port range: [1024, 65535]
Jul 31 13:30:05 fold named[3120]: using default UDP/IPv6 port range: [1024, 65535]
Jul 31 13:30:05 fold named[3120]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 31 13:30:05 fold named[3120]: binding TCP socket: address in use
Jul 31 13:30:05 fold named[3120]: listening on IPv4 interface eth0, 195.113.57.32#53
Jul 31 13:30:05 fold named[3120]: binding TCP socket: address in use
Jul 31 13:30:05 fold named[3120]: generating session key for dynamic DNS
Jul 31 13:30:05 fold named[3120]: could not configure root hints from 'named.ca': file not found
Jul 31 13:30:05 fold named[3120]: loading configuration: file not found
Jul 31 13:30:05 fold named[3120]: exiting (due to fatal error)
Jul 31 13:30:05 fold /etc/init.d/named[2156]: ERROR: named failed to start


Would you please improve the einfo() message printed after install of the bind-7.1.x package and clarify in more detail in the /etc/bind/named.conf file what should the "emerge --config" really achieve (what files should be created&copied over from the non-chroot directories)? I believe I used to have /var/bind/chroot/etc/ with copies of my zone files and the idea was that remote attacker could only modify those copies instead of the originals in /etc/. I don't understand what is the feature of mounting /etc/bind to /chroot/dns/etc/bind, for example.

The real issue which I demonstrate here is that I used to have /var/bind/named.cache but the scripts(/deamon?) now look for /var/bind/named.ca but are leaky and named process is started anyways. I had to kill the process and remove /var/run/named/* files, btw.

So after I made a soflink to named.cache as named.ca I could start the deamon using the init.d script claiming everything went fine. Unfortunately, it wasn't:

Jul 31 13:43:18 fold named[13003]: starting BIND 9.7.1-P2 -u named
Jul 31 13:43:18 fold named[13003]: built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--without-idn' '--disable-ipv6' '--without-libxml2' '--without-gssapi' '--enable-linux-caps' '--enable-threads' '--with-randomdev=/dev/random' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=nocona' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
Jul 31 13:43:18 fold named[13003]: adjusted limit on open files from 1024 to 1048576
Jul 31 13:43:18 fold named[13003]: found 4 CPUs, using 4 worker threads
Jul 31 13:43:18 fold named[13003]: using up to 4096 sockets
Jul 31 13:43:18 fold named[13003]: loading configuration from '/etc/bind/named.conf'
Jul 31 13:43:18 fold named[13003]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Jul 31 13:43:18 fold named[13003]: using default UDP/IPv4 port range: [1024, 65535]
Jul 31 13:43:18 fold named[13003]: using default UDP/IPv6 port range: [1024, 65535]
Jul 31 13:43:18 fold named[13003]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 31 13:43:18 fold named[13003]: listening on IPv4 interface eth0, 195.113.57.32#53
Jul 31 13:43:18 fold named[13003]: generating session key for dynamic DNS
Jul 31 13:43:18 fold named[13003]: set up managed keys zone for view _default, file 'managed-keys.bind'
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 0.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: D.F.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 8.E.F.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 9.E.F.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: A.E.F.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: B.E.F.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: automatic empty zone: 0.1.1.0.0.2.IP6.ARPA
Jul 31 13:43:18 fold named[13003]: command channel listening on 127.0.0.1#953
Jul 31 13:43:18 fold named[13003]: zone 127.in-addr.arpa/IN: loaded serial 2008122601
Jul 31 13:43:18 fold named[13003]: zone localhost/IN: loaded serial 2008122601
Jul 31 13:43:18 fold named[13003]: zone iresite.org/IN: loaded serial 2009120921
Jul 31 13:43:18 fold named[13003]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Jul 31 13:43:18 fold named[13003]: managed-keys-zone ./IN: loaded serial 0
Jul 31 13:43:18 fold named[13003]: running
Jul 31 13:43:18 fold named[13003]: zone iresite.org/IN: sending notifies (serial 2009120921)
Jul 31 13:43:19 fold named[13003]: client 116.226.192.131#11926: query (cache) 'jonesautomation.com/MX/IN' denied
Jul 31 13:43:20 fold named[13003]: client 122.163.209.55#1061: query (cache) 'gsfurniture.com/MX/IN' denied
Jul 31 13:43:22 fold named[13003]: client 116.226.192.131#11926: query (cache) 'sajainc.com/A/IN' denied


As you can see I miss some other file, called managed-keys.bind.

Please, improve the init.d script to check for presence of all such files in advance, before attempting to startup the daemon. Improve the einfo() docs and explain the directory&file structure one is supposed to achieve. Finally, ensure user "emerge --config" will NOT overwrite their existing zone and config files (etc-update asked me only about /etc/conf.d/named.conf which I decided to keep as it was, luckily). 

For completeness:

[ebuild   R   ] net-dns/bind-9.7.1_p2  USE="berkdb mysql ssl threads -dlz -doc -geoip -gssapi -idn -ipv6 -ldap -odbc -postgres -resolvconf -sdb-ldap (-selinux) -urandom -xml" 0 kB

Comment 1 Christian Ruppert (idl0r) gentoo-dev

2010-07-31 14:56:27 UTC

(In reply to comment #0)
> Would you please improve the einfo() message printed after install of the
> bind-7.1.x package and clarify in more detail in the /etc/bind/named.conf file
> what should the "emerge --config" really achieve (what files should be
> created&copied over from the non-chroot directories)? I believe I used to have
> /var/bind/chroot/etc/ with copies of my zone files and the idea was that remote
> attacker could only modify those copies instead of the originals in /etc/. I
> don't understand what is the feature of mounting /etc/bind to
> /chroot/dns/etc/bind, for example.

You just need to run "emerge --config bind", no need to copy extra files.
emerge --config creates all required directories with proper permissions as well as the needed device files.
The main reason for a chrooted named is IMHO that an attacker can not easily gain access to the main system/other files...
/etc/bind will be mounted because named requires the named.conf as well as the files that will be included from it.

> 
> The real issue which I demonstrate here is that I used to have
> /var/bind/named.cache but the scripts(/deamon?) now look for /var/bind/named.ca
> but are leaky and named process is started anyways. I had to kill the process
> and remove /var/run/named/* files, btw.
>

named.ca has been renamed to named.cache.
I'll add an ewarn/elog for it.
/etc/init.d/named zap will also remove the pid files in /var/run/named/.

> As you can see I miss some other file, called managed-keys.bind.
>
That's a new feature in bind-9.7.x. You can and should decide yourself if you want use it or not. That's no error.

> Please, improve the init.d script to check for presence of all such files in
> advance, before attempting to startup the daemon. Improve the einfo() docs and
> explain the directory&file structure one is supposed to achieve. Finally,
> ensure user "emerge --config" will NOT overwrite their existing zone and config
> files (etc-update asked me only about /etc/conf.d/named.conf which I decided to
> keep as it was, luckily). 

The initscript checks the chroot directory for directories and files. It will notice you in case one is missing and it also says "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first".

emerge --config doesn't touch your zones, config files or so.. It just creates all necessary directories and devices in your chroot directory.
It will change some directory or device file permissions.
There is also a warning if you run "emerge --config bind" on an existing /chroot/dns directory.

Comment 2 Martin Mokrejš 2010-08-01 21:14:29 UTC

(In reply to comment #1)
> (In reply to comment #0)
> > Would you please improve the einfo() message printed after install of the
> > bind-7.1.x package and clarify in more detail in the /etc/bind/named.conf 
> > file what should the "emerge --config" really achieve (what files should be
> > created&copied over from the non-chroot directories)? I believe I used to
> > have /var/bind/chroot/etc/ with copies of my zone files and the idea was
> > that remote attacker could only modify those copies instead of the
> > originals in /etc/. I don't understand what is the feature of mounting
> > /etc/bind to /chroot/dns/etc/bind, for example.
> 
> You just need to run "emerge --config bind", no need to copy extra files.
> emerge --config creates all required directories with proper permissions as
> well as the needed device files.

That I did and as I posted, the directories created do not contain copies of my zone files. Oh, I see, they will be mounted into the place ...

> The main reason for a chrooted named is IMHO that an attacker can not easily
> gain access to the main system/other files...
> /etc/bind will be mounted because named requires the named.conf as well as the
> files that will be included from it.

But the attacker can overwrite these files. And my understanding is that the originals. Before the upgrade only copies of the files would be exposed.

What about this link to a full path? Shouldn't it be a relative soflink?

# ls -la /chroot/dns/var/bind
total 20
drwxr-xr-x 4 named named 4096 Jul 31 11:56 .
drwxr-xr-x 5 root  root  4096 Jul 31 13:11 ..
-rw-r----- 1 root  named 2941 Jul 31 11:56 named.cache
drwxr-xr-x 2 named named 4096 Jul 31 11:56 pri
lrwxrwxrwx 1 root  root    21 Jul 31 11:56 root.cache -> /var/bind/named.cache


> > As you can see I miss some other file, called managed-keys.bind.
> >
> That's a new feature in bind-9.7.x. You can and should decide yourself if you
> want use it or not. That's no error.

Would be great if you tell the user. With move to Gentoo I stopped bothering to read NEWS, RELNOTES, etc. ;-)

> 
> > Please, improve the init.d script to check for presence of all such files in
> > advance, before attempting to startup the daemon. Improve the einfo() docs
> > and explain the directory&file structure one is supposed to achieve.
> > Finally, ensure user "emerge --config" will NOT overwrite their existing
> > zone and config files (etc-update asked me only about /etc/conf.d/
> > named.conf which I decided to keep as it was, luckily). 
> 
> The initscript checks the chroot directory for directories and files. It will
> notice you in case one is missing and it also says "Your chroot dir ${CHROOT}
> is inconsistent, please run 'emerge --config net-dns/bind' first".
> 
> emerge --config doesn't touch your zones, config files or so. It just creates
> all necessary directories and devices in your chroot directory.
> It will change some directory or device file permissions.
> There is also a warning if you run "emerge --config bind" on an existing
> /chroot/dns directory.

Was that the previous chroot place with 9.6 version or is this a new location? Sorry, I shouldn't be lazy and check the old ebuild here. ;)

Nevertheless, so additions based on my questions to einfo() texts would be great. Thanks.

Comment 3 Christian Ruppert (idl0r) gentoo-dev

2010-08-26 16:41:37 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > (In reply to comment #0)
> > The main reason for a chrooted named is IMHO that an attacker can not easily
> > gain access to the main system/other files...
> > /etc/bind will be mounted because named requires the named.conf as well as the
> > files that will be included from it.
> 
> But the attacker can overwrite these files. And my understanding is that the
> originals. Before the upgrade only copies of the files would be exposed.
> 
> What about this link to a full path? Shouldn't it be a relative soflink?
>

The config files are by default root:named and 0640 so an attacker that gains access as "named" user can't usually touch your configs.

> # ls -la /chroot/dns/var/bind
> total 20
> drwxr-xr-x 4 named named 4096 Jul 31 11:56 .
> drwxr-xr-x 5 root  root  4096 Jul 31 13:11 ..
> -rw-r----- 1 root  named 2941 Jul 31 11:56 named.cache
> drwxr-xr-x 2 named named 4096 Jul 31 11:56 pri
> lrwxrwxrwx 1 root  root    21 Jul 31 11:56 root.cache -> /var/bind/named.cache
> 
> 
> > > As you can see I miss some other file, called managed-keys.bind.
> > >
> > That's a new feature in bind-9.7.x. You can and should decide yourself if you
> > want use it or not. That's no error.
> 
> Would be great if you tell the user. With move to Gentoo I stopped bothering to
> read NEWS, RELNOTES, etc. ;-)

I'm currently not sure if I will add it to the ebuild because _every_ user should read NEWS or ChangeLog files when upgrading to a new major version of "important" packages.

The bind.keys file will also auto-created by the bind build system and it will be in your chroot after /etc/bind has been mounted.

> > 
> > > Please, improve the init.d script to check for presence of all such files in
> > > advance, before attempting to startup the daemon. Improve the einfo() docs
> > > and explain the directory&file structure one is supposed to achieve.
> > > Finally, ensure user "emerge --config" will NOT overwrite their existing
> > > zone and config files (etc-update asked me only about /etc/conf.d/
> > > named.conf which I decided to keep as it was, luckily). 
> > 
> > The initscript checks the chroot directory for directories and files. It will
> > notice you in case one is missing and it also says "Your chroot dir ${CHROOT}
> > is inconsistent, please run 'emerge --config net-dns/bind' first".
> > 
> > emerge --config doesn't touch your zones, config files or so. It just creates
> > all necessary directories and devices in your chroot directory.
> > It will change some directory or device file permissions.
> > There is also a warning if you run "emerge --config bind" on an existing
> > /chroot/dns directory.
> 
> Was that the previous chroot place with 9.6 version or is this a new location?
> Sorry, I shouldn't be lazy and check the old ebuild here. ;)
> 
> Nevertheless, so additions based on my questions to einfo() texts would be
> great. Thanks.
> 

Its still the same as in 9.6.


A ewarn for the re-named named.ca has been added so I'll close this bug as fixed for now.