Previously reported for older BIND versions (see #691786)

The pkg_postinst section ONLY checks for the presence of /etc/bind/rndc.key before generating it if it is absent.  However, rndc checks for both /etc/bind/rndc.key and /etc/bind/rndc.conf, and if both are present, it will use rndc.conf by preference but issue a WARNING that rndc.key exists as well.

Since rndc.conf is not created by the package itself, and will only exist if created by a user following the official configuration information, who can be PRESUMED to know what the correct keys are, it can be safely assumed that if rndc.conf exists, is is CORRECT and should be used, and therefore rndc.key SHOULD NOT be created.  At present, the ebuild obstinately recreates an unwanted rndc.key file containing WRONG keys every time.

There is a straightforward one-liner fix for this:

babylon5:root:~:11 # diff -U5 bind-9.15.5.ebuild /usr/portage/net-dns/bind/bind-9.15.5.ebuild
--- bind-9.15.5.ebuild  2019-10-20 04:39:54.000000000 -0400
+++ /usr/portage/net-dns/bind/bind-9.15.5.ebuild        2019-11-23 15:23:59.711993408 -0500
@@ -260,11 +260,11 @@
        exeinto /usr/libexec
        doexe "${FILESDIR}/generate-rndc-key.sh"
 }

 pkg_postinst() {
-       if [ ! -f '/etc/bind/rndc.key' ]; then
+       if [ ! -f '/etc/bind/rndc.key' && ! -f '/etc/bind/rndc.conf' ]; then
                if use urandom; then
                        einfo "Using /dev/urandom for generating rndc.key"
                        /usr/sbin/rndc-confgen -r /dev/urandom -a
                        echo
                else



This does not address the SEPARATE issue noted in #691786 that if USE="urandom" is defined, postinst attempts to create the rndc.key file using `-r /dev/urandom`, but rndc-confgen fails because the `-r` flag is deprecated.