9.8 controls stmt ignores second key?
Phil Pennock
bind-users+phil at spodhuis.org
Fri Jun 8 04:04:52 UTC 2012
I upgraded bind today from 9.6 to 9.8.3-P1.
One of my automated reloads is now failing. I've tracked this down to
the second key in the controls configuration being ignored. If I swap
the order of the keys, the second (now first) key is honoured, the other
is not, so I know that both keys still work and it's just the order that
matters.
controls {
inet 127.0.0.1 port 954 allow { localhost; } keys { rndc-key-nsauth; rndc-key-dnssync; };
inet ::1 port 954 allow { localhost; } keys { rndc-key-nsauth; rndc-key-dnssync; };
};
(The non-standard port has a historical reason)
Both keys are hmac-md5. As I say, both work, but only if they're first
in the list. Whichever key is second gets this as client:
----------------------------8< cut here >8------------------------------
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
----------------------------8< cut here >8------------------------------
and as server:
----------------------------8< cut here >8------------------------------
general: info: received control channel command 'reload sks.pool.globnix.net'
general: error: invalid command from 127.0.0.1#61018: bad auth
----------------------------8< cut here >8------------------------------
As far as I can tell from:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#controls_statement_definition_and_usage
the syntax is unchanged and the above *should* work.
Have I missed something that has changed, or is this a regression?
Nothing obvious in "CHANGES" that I can see.
Thanks,
-Phil
More information about the bind-users
mailing list