#2656 IPA does not configure rndc
Closed: Invalid None Opened 11 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=814475 (Red Hat Enterprise Linux 6)

Description of problem:

According to the documentation, IPA's BIND should be manageable through rndc,
however rndc is not configured by ipa-dns-install.

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:
1. install ipa server with --setup-dns option
2. make sure named is running
3. execute rndc status command.

Actual results:
# rndc status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Expected results:

# rndc status
.....
<name server status>
....

Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=677381 ( bind
takes a long time generating keys ), due to this bug, rndc-confgen is not ran
during bind installation, it has to be done manually.

Can this be done during ipa-dns-install? (--setup-dns)

# /usr/sbin/rndc-confgen -a
# /sbin/restorecon /etc/rndc.conf
# chown root:named /etc/rndc.key
# chmod 0640 /etc/rndc.key

With automatic key generation we will run to the same problem as described in BZ https://bugzilla.redhat.com/show_bug.cgi?id=677381

There is not enough entropy to generate rndc key and installation will hang forever.

Unfortunately, I don't see any good automatic solution. Entropy is not generated from network interface cards, so somebody has to press some keys on physical terminal to "unhang" process waiting for randomness.

It needs more investigation, how it works in kernel and how to workaround this in secure way.

Basically BIND BZ is "not a bug", it's a "security feature".

Wow, I don't know how, but I changed some ticket flags :-) I'm reseting them to previous state, sorry.

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2.0 Documentation

7 years ago

Login to comment on this ticket.

Metadata