Keys for rndc can be defined either in /etc/bind/rndc.conf or /etc/bind/rndc.key. If both files exist, rndc will use the key in rndc.conf, but warn that rndc.key exists as well. However, if rndc.key does NOT exist, then postinst fails: * FAILED postinst: 1 * ERROR: net-dns/bind-9.14.4::gentoo failed (postinst phase): * (no error message) * * Call stack: * ebuild.sh, line 125: Called pkg_postinst * environment, line 3114: Called die * The specific snippet of code: * chown root:named /etc/bind/rndc.key || die; * So postinst dies if a file that bind does not actually require to exist does not exist.
Actually, the file should exist because if not, it is created a few lines above. The problem (which I faced too) is that if USE="urandom" is defined, the file is created using `-r /dev/urandom`, but rndc-confgen is failing because the `-r` flag is deprecated.
(In reply to Stéphane Veyret from comment #1) > Actually, the file should exist because if not, it is created a few lines > above. The problem (which I faced too) is that if USE="urandom" is defined, > the file is created using `-r /dev/urandom`, but rndc-confgen is failing > because the `-r` flag is deprecated. I would suggest that postinst shouldn't be trying to create rndc.key at all if a valid rndc.conf file already exists. I have to keep manually deleting rndc.key files that I don't need and don't want.
New installation, USE="caps urandom zlib" emerge =net-dns/bind-9.14.4 fails because /etc/bind/rndc.key does not exist.
(In reply to Tomáš Mózes from comment #3) > New installation, USE="caps urandom zlib" emerge =net-dns/bind-9.14.4 fails > because /etc/bind/rndc.key does not exist. It does not exist because rndc-confgen failed as Stéphane pointed out. Workaround: emerge net-dns/bind rndc-confgen -a emerge net-dns/bind
(In reply to Tomáš Mózes from comment #4) > (In reply to Tomáš Mózes from comment #3) > > New installation, USE="caps urandom zlib" emerge =net-dns/bind-9.14.4 fails > > because /etc/bind/rndc.key does not exist. > > It does not exist because rndc-confgen failed as Stéphane pointed out. > > Workaround: > emerge net-dns/bind > rndc-confgen -a > emerge net-dns/bind So there's two issues here. 1. rndc-confgen is failing to create rndc.key. 2. postinst is trying to create an rndc.key file even when a perfectly valid and correct rndc.conf file already exists. If rndc.conf already exists, rndc.key is not only unnecessary, it actively confuses the issue and results in a warning message from rndc. We should not be doing this. The gripping hand is, the underlying problem is that bind has two different possible files for the same purpose in the first place, but will complain if both exist.
To further clarify: — The ebuild does not as far as I can see make any attempt to auto create rndc.conf, only rndc.key; — Therefore if rndc.conf exists, we should assume it was created by the user and is correctly configured for the installation; — If both rndc.conf and rndc.key exists, bind will prefer rndc.conf anyway, making the rndc.key file of no practical use in this case; — Ergo, we should not attempt to create rndc.key if rndc.conf already exists.
I propose the following one-line fix to the unferlying logic: --- bind-9.14.4.ebuild.orig 2019-09-21 11:09:50.000000000 -0400 +++ bind-9.14.4.ebuild 2019-10-09 13:14:06.612424140 -0400 @@ -268,11 +268,11 @@ exeinto /usr/libexec doexe "${FILESDIR}/generate-rndc-key.sh" } pkg_postinst() { - if [ ! -f '/etc/bind/rndc.key' ]; then + if [ ! -f '/etc/bind/rndc.key' -a ! -f '/etc/bind/rndc.conf']; then if use urandom; then einfo "Using /dev/urandom for generating rndc.key" /usr/sbin/rndc-confgen -r /dev/urandom -a echo else The reasoning behind this change: — The ebuild does not create /etc/bind/rndc.conf, therefore if rndc.conf exists, already exists, we should assume that the user created it AND IT IS CORRECT, and NOT create a conflicting /etc/bind/rdnc.key which bind will ignore anyway (but issue a warning every time) because rndc.conf already exists. — If rndc.conf does not exist but rndc.key already does, obviously we should use the existing rndc.key file and not overwrite it. — ONLY IF NEITHER rndc.conf NOR rndc.key already exists should we create a new rndc.key file. The rndc-confgen usage issue (-r deprecated) is a separate problem.
> The rndc-confgen usage issue (-r deprecated) is a separate problem. Is there, or should there be, a separate bug for that issue?
Well, this issue should be corrected in a way or another: either within this same issue (it is just 3 characters to remove), or creating a new one. But to my knowledge, there is no other open issue for it.
I see no reason not to fix it at the same time.
*** Bug 745909 has been marked as a duplicate of this bug. ***
Fixed in #701032 in 9.16.10
*** This bug has been marked as a duplicate of bug 701032 ***
