Previously reported for older BIND versions (see #691786) The pkg_postinst section ONLY checks for the presence of /etc/bind/rndc.key before generating it if it is absent. However, rndc checks for both /etc/bind/rndc.key and /etc/bind/rndc.conf, and if both are present, it will use rndc.conf by preference but issue a WARNING that rndc.key exists as well. Since rndc.conf is not created by the package itself, and will only exist if created by a user following the official configuration information, who can be PRESUMED to know what the correct keys are, it can be safely assumed that if rndc.conf exists, is is CORRECT and should be used, and therefore rndc.key SHOULD NOT be created. At present, the ebuild obstinately recreates an unwanted rndc.key file containing WRONG keys every time. There is a straightforward one-liner fix for this: babylon5:root:~:11 # diff -U5 bind-9.15.5.ebuild /usr/portage/net-dns/bind/bind-9.15.5.ebuild --- bind-9.15.5.ebuild 2019-10-20 04:39:54.000000000 -0400 +++ /usr/portage/net-dns/bind/bind-9.15.5.ebuild 2019-11-23 15:23:59.711993408 -0500 @@ -260,11 +260,11 @@ exeinto /usr/libexec doexe "${FILESDIR}/generate-rndc-key.sh" } pkg_postinst() { - if [ ! -f '/etc/bind/rndc.key' ]; then + if [ ! -f '/etc/bind/rndc.key' && ! -f '/etc/bind/rndc.conf' ]; then if use urandom; then einfo "Using /dev/urandom for generating rndc.key" /usr/sbin/rndc-confgen -r /dev/urandom -a echo else This does not address the SEPARATE issue noted in #691786 that if USE="urandom" is defined, postinst attempts to create the rndc.key file using `-r /dev/urandom`, but rndc-confgen fails because the `-r` flag is deprecated.
*** Bug 717760 has been marked as a duplicate of this bug. ***
fixed in 9.16.10
Just verified the fix. Thanks Mikle.
*** Bug 691786 has been marked as a duplicate of this bug. ***