[SRU] upgrade of MAAS removes local config for bind and breaks DNS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| MAAS |
Critical
|
Mike Pontillo | ||
| 1.7 |
Critical
|
Mike Pontillo | ||
| 1.8 |
Critical
|
Mike Pontillo | ||
| maas (Ubuntu) |
Undecided
|
Unassigned | ||
| Trusty |
Undecided
|
Unassigned | ||
| Vivid |
Undecided
|
Unassigned | ||
| Wily |
Undecided
|
Unassigned |
Bug Description
On an Ubuntu 14.04 host, I recently upgraded MAAS from
1.5.2+bzr2282-
production environment which uses MAAS to control both DNS and DHCP.
During the upgrade MAAS silently (without prompting) rewrote
/etc/bind/
some of our local config and broke DNS resolution for all clients in
this environment. Specifically, it removed and did not re-add a
forwarders entry.
I've attached 3 files: the original named.conf.options, the version
left after the MAAS upgrade and an artifical diff between the two to
show what's actually changed (i.e. ignoring MAAS rearranging things,
messing up whitespace and removing comments).
[Impact]
In 1.7+, MAAS started managing DNS forwarders as part of its DNS management feature. However, if a user in 1.5 would manually modify their configuration file to add forwaders, after an upgrade to 1.7+, DNS would en up broken. This adds the ability for MAAS to upgrade the DNS configuration correctly and migrate the manually configuration to the MAAS managed configuration.
[Test Case]
Without the fix:
1. Install maas 1.5
2. Configure MAAS to manage DNS/DHCP
3. Manually edit /etc/bind/
4. Upgrade to MAAS 1.7 with proposed fix.
5. MAAS will migrate the DNS forwarders config into MAAS' DB.
6. MAAS won't write allow-cache, allow-recursion, allow-cache-query.
[Regression Potential]
Minimal. This has been tested extensively in various environments, both on fresh installs and upgrades.
Related branches
- Andres Rodriguez (community): Needs Information on 2015-07-01
- Raphaël Badin (community): Approve on 2015-07-01
-
Diff: 552 lines (+471/-11)5 files modifiedbuildout.cfg (+0/-1)
src/maasserver/management/commands/edit_named_options.py (+9/-9)
src/maasserver/utils/isc.py (+283/-0)
src/maasserver/utils/tests/test_isc.py (+179/-0)
versions.cfg (+0/-1)
- Ricardo Bánffy (community): Approve on 2015-07-02
-
Diff: 25 lines (+3/-2)2 files modifieddebian/changelog (+3/-1)
debian/control (+0/-1)
- Mike Pontillo (community): Approve on 2015-07-04
- Ricardo Bánffy (community): Approve on 2015-07-02
-
Diff: 24 lines (+2/-1)2 files modifieddebian/changelog (+2/-0)
debian/control (+0/-1)
- Ricardo Bánffy (community): Approve on 2015-07-02
-
Diff: 25 lines (+3/-1)2 files modifieddebian/changelog (+3/-0)
debian/control (+0/-1)
- Gavin Panella (community): Approve on 2015-07-03
-
Diff: 546 lines (+470/-10)5 files modifiedbuildout.cfg (+0/-1)
src/maasserver/management/commands/edit_named_options.py (+8/-8)
src/maasserver/utils/isc.py (+283/-0)
src/maasserver/utils/tests/test_isc.py (+179/-0)
versions.cfg (+0/-1)
- Mike Pontillo (community): Approve on 2015-07-04
-
Diff: 546 lines (+470/-10)5 files modifiedbuildout.cfg (+0/-1)
src/maasserver/management/commands/edit_named_options.py (+8/-8)
src/maasserver/utils/isc.py (+283/-0)
src/maasserver/utils/tests/test_isc.py (+179/-0)
versions.cfg (+0/-1)
- Raphaël Badin (community): Approve on 2015-07-07
-
Diff: 689 lines (+409/-39)4 files modifiedsrc/maasserver/management/commands/edit_named_options.py (+116/-14)
src/maasserver/tests/test_commands_edit_named_options.py (+169/-15)
src/maasserver/utils/isc.py (+25/-4)
src/maasserver/utils/tests/test_isc.py (+99/-6)
- Mike Pontillo (community): Approve on 2015-07-07
-
Diff: 81 lines (+29/-10)3 files modifieddebian/changelog (+11/-1)
debian/maas-dns.postinst (+7/-9)
debian/maas-region-controller.postinst (+11/-0)
- Mike Pontillo (community): Approve on 2015-07-07
-
Diff: 87 lines (+23/-22)3 files modifieddebian/changelog (+11/-3)
debian/maas-dns.postinst (+2/-19)
debian/maas-region-controller.postinst (+10/-0)
- Mike Pontillo (community): Approve on 2015-07-07
-
Diff: 78 lines (+16/-20)3 files modifieddebian/changelog (+4/-1)
debian/maas-dns.postinst (+2/-19)
debian/maas-region-controller.postinst (+10/-0)
- Mike Pontillo (community): Approve on 2015-07-08
- Andres Rodriguez (community): Approve on 2015-07-08
-
Diff: 689 lines (+409/-39)4 files modifiedsrc/maasserver/management/commands/edit_named_options.py (+116/-14)
src/maasserver/tests/test_commands_edit_named_options.py (+169/-15)
src/maasserver/utils/isc.py (+25/-4)
src/maasserver/utils/tests/test_isc.py (+99/-6)
- MAAS Maintainers: Pending requested 2015-07-08
-
Diff: 299 lines (+125/-16) (has conflicts)11 files modifiedMakefile (+7/-0)
docs/conf.py (+1/-1)
src/maasserver/dns/tests/test_config.py (+4/-3)
src/maasserver/fields.py (+26/-0)
src/maasserver/static/css/maas-styles.css (+4/-0)
src/maasserver/static/partials/node-details.html (+6/-1)
src/maasserver/static/partials/node-events.html (+1/-1)
src/maasserver/tests/test_fields.py (+38/-0)
src/maasserver/views/tests/test_rpc.py (+11/-2)
src/provisioningserver/plugin.py (+7/-0)
src/provisioningserver/tests/test_plugin.py (+20/-8)
- Andres Rodriguez (community): Approve on 2015-07-08
-
Diff: 639 lines (+372/-31)5 files modifieddocs/changelog.rst (+11/-0)
src/maasserver/management/commands/edit_named_options.py (+96/-12)
src/maasserver/tests/test_commands_edit_named_options.py (+141/-9)
src/maasserver/utils/isc.py (+25/-4)
src/maasserver/utils/tests/test_isc.py (+99/-6)
- MAAS Maintainers: Pending requested 2015-07-08
-
Diff: 13596 lines (+10612/-113) (has conflicts)106 files modifiedMakefile (+7/-0)
contrib/maas-http.conf (+19/-0)
docs/changelog.rst (+163/-0)
docs/conf.py (+1/-1)
etc/maas/pserv.yaml.OTHER (+25/-0)
etc/maas/templates/commissioning-user-data/user_data_poweroff.template (+31/-0)
required-packages/base (+5/-0)
src/maas/development.py (+12/-1)
src/maas/settings.py (+6/-0)
src/maascli/api.py (+5/-0)
src/maascli/tests/test_api.py (+48/-0)
src/maasserver/api/doc.py (+11/-0)
src/maasserver/api/doc_handler.py (+5/-0)
src/maasserver/api/ip_addresses.py (+138/-0)
src/maasserver/api/nodegroups.py (+17/-0)
src/maasserver/api/nodes.py (+77/-1)
src/maasserver/api/pxeconfig.py (+19/-0)
src/maasserver/api/support.py (+16/-6)
src/maasserver/api/tests/test_doc.py (+79/-0)
src/maasserver/api/tests/test_ipaddresses.py (+274/-71)
src/maasserver/api/tests/test_node.py (+70/-0)
src/maasserver/api/tests/test_nodegroup.py (+75/-0)
src/maasserver/api/tests/test_pxeconfig.py (+17/-0)
src/maasserver/api/tests/test_support.py (+10/-0)
src/maasserver/api/tests/test_version.py (+8/-0)
src/maasserver/api/version.py (+13/-0)
src/maasserver/clusterrpc/tests/test_boot_images.py (+24/-0)
src/maasserver/dns/config.py (+28/-0)
src/maasserver/dns/tests/test_config.py (+11/-0)
src/maasserver/exceptions.py (+9/-0)
src/maasserver/fields.py (+26/-0)
src/maasserver/forms.py (+32/-1)
src/maasserver/forms_settings.py (+17/-0)
src/maasserver/management/commands/edit_named_options.py (+24/-0)
src/maasserver/models/config.py (+5/-0)
src/maasserver/models/macaddress.py (+74/-0)
src/maasserver/models/node.py (+102/-0)
src/maasserver/models/nodegroup.py (+27/-0)
src/maasserver/models/signals/power.py (+10/-0)
src/maasserver/models/tests/test_bootsource.py (+6/-0)
src/maasserver/models/tests/test_macaddress.py (+90/-0)
src/maasserver/models/tests/test_node.py (+159/-18)
src/maasserver/models/tests/test_nodegroup.py (+11/-0)
src/maasserver/rpc/nodes.py (+14/-0)
src/maasserver/rpc/tests/test_nodes.py (+32/-0)
src/maasserver/start_up.py (+93/-0)
src/maasserver/static/js/node_check.js.OTHER (+186/-0)
src/maasserver/static/js/node_views.js.OTHER (+680/-0)
src/maasserver/static/js/tests/test_node_check.html.OTHER (+36/-0)
src/maasserver/static/js/tests/test_node_check.js.OTHER (+128/-0)
src/maasserver/static/js/tests/test_node_views.html.OTHER (+55/-0)
src/maasserver/static/js/tests/test_node_views.js.OTHER (+1035/-0)
src/maasserver/static/js/utils.js.OTHER (+350/-0)
src/maasserver/templates/maasserver/base.html (+85/-0)
src/maasserver/templates/maasserver/node_actions.html (+29/-0)
src/maasserver/templates/maasserver/node_event_list_snippet.html.OTHER (+32/-0)
src/maasserver/templates/maasserver/node_view.html.OTHER (+292/-0)
src/maasserver/templates/maasserver/node_view_mac_display.html (+10/-0)
src/maasserver/templates/maasserver/nodes_listing.html.OTHER (+111/-0)
src/maasserver/templates/maasserver/snippets.html.OTHER (+67/-0)
src/maasserver/testing/factory.py (+30/-0)
src/maasserver/tests/test_dhcp.py (+11/-0)
src/maasserver/tests/test_fields.py (+38/-0)
src/maasserver/tests/test_forms_network.py (+76/-0)
src/maasserver/tests/test_forms_node.py (+9/-0)
src/maasserver/tests/test_js.py (+11/-0)
src/maasserver/tests/test_start_up.py (+64/-0)
src/maasserver/utils/isc.py (+286/-0)
src/maasserver/utils/mac.py (+34/-0)
src/maasserver/utils/tests/test_isc.py (+182/-0)
src/maasserver/utils/tests/test_mac.py (+35/-0)
src/maasserver/utils/tests/test_version.py (+217/-0)
src/maasserver/utils/version.py (+131/-0)
src/maasserver/views/nodes.py (+377/-6)
src/maasserver/views/tags.py.OTHER (+52/-0)
src/maasserver/views/tests/test_nodes.py.OTHER (+2766/-0)
src/maasserver/views/tests/test_rpc.py (+16/-2)
src/maasserver/views/tests/test_snippets.py (+47/-0)
src/maastesting/fixtures.py (+37/-0)
src/metadataserver/api.py (+10/-2)
src/metadataserver/models/commissioningscript.py (+41/-4)
src/metadataserver/models/tests/test_noderesults.py (+99/-0)
src/metadataserver/tests/test_api.py (+5/-0)
src/metadataserver/user_data/poweroff.py (+37/-0)
src/provisioningserver/boot/tests/test_boot.py (+7/-0)
src/provisioningserver/boot/tests/test_windows.py (+11/-0)
src/provisioningserver/boot/windows.py (+6/-0)
src/provisioningserver/config.py (+24/-0)
src/provisioningserver/dns/tests/test_config.py (+14/-0)
src/provisioningserver/drivers/hardware/tests/test_ucsm.py (+6/-0)
src/provisioningserver/drivers/hardware/ucsm.py (+21/-0)
src/provisioningserver/drivers/hardware/virsh.py (+12/-0)
src/provisioningserver/drivers/osystem/custom.py (+19/-0)
src/provisioningserver/drivers/osystem/tests/test_custom.py (+20/-0)
src/provisioningserver/plugin.py (+148/-0)
src/provisioningserver/rpc/boot_images.py (+22/-0)
src/provisioningserver/rpc/cluster.py (+4/-0)
src/provisioningserver/rpc/clusterservice.py (+34/-0)
src/provisioningserver/rpc/power.py (+38/-0)
src/provisioningserver/rpc/tests/test_boot_images.py (+53/-0)
src/provisioningserver/rpc/tests/test_clusterservice.py (+205/-0)
src/provisioningserver/rpc/tests/test_power.py (+57/-0)
src/provisioningserver/tests/test_config.py (+152/-0)
src/provisioningserver/tests/test_plugin.py (+5/-0)
src/provisioningserver/tests/test_plugin_services.py.OTHER (+87/-0)
utilities/update-new-and-modified-copyright (+15/-0)
- Raphaël Badin (community): Approve on 2015-07-09
- Andres Rodriguez (community): Approve on 2015-07-09
-
Diff: 351 lines (+176/-6)8 files modifiedetc/maas/templates/dns/named.conf.options.inside.maas.template (+7/-0)
src/maasserver/management/commands/edit_named_options.py (+1/-1)
src/maasserver/tests/test_commands_edit_named_options.py (+2/-2)
src/provisioningserver/dns/config.py (+38/-0)
src/provisioningserver/dns/testing.py (+2/-0)
src/provisioningserver/dns/tests/test_config.py (+117/-0)
src/provisioningserver/utils/isc.py (+3/-1)
src/provisioningserver/utils/tests/test_isc.py (+6/-2)
- Mike Pontillo (community): Approve on 2015-07-09
-
Diff: 352 lines (+176/-7)8 files modifiedetc/maas/templates/dns/named.conf.options.inside.maas.template (+7/-1)
src/maasserver/management/commands/edit_named_options.py (+1/-1)
src/maasserver/tests/test_commands_edit_named_options.py (+2/-2)
src/provisioningserver/dns/config.py (+38/-0)
src/provisioningserver/dns/testing.py (+2/-0)
src/provisioningserver/dns/tests/test_config.py (+117/-0)
src/provisioningserver/utils/isc.py (+3/-1)
src/provisioningserver/utils/tests/test_isc.py (+6/-2)
- Mike Pontillo (community): Approve on 2015-07-09
-
Diff: 351 lines (+176/-6)8 files modifiedetc/maas/templates/dns/named.conf.options.inside.maas.template (+7/-0)
src/maasserver/management/commands/edit_named_options.py (+1/-1)
src/maasserver/tests/test_commands_edit_named_options.py (+2/-2)
src/provisioningserver/dns/config.py (+38/-0)
src/provisioningserver/dns/testing.py (+2/-0)
src/provisioningserver/dns/tests/test_config.py (+117/-0)
src/provisioningserver/utils/isc.py (+3/-1)
src/provisioningserver/utils/tests/test_isc.py (+6/-2)
- Andres Rodriguez (community): Approve on 2015-07-13
-
Diff: 52 lines (+15/-5)3 files modifieddebian/changelog (+11/-3)
debian/control (+3/-2)
debian/maas-region-controller.postinst (+1/-0)
- Andres Rodriguez (community): Approve on 2015-07-13
-
Diff: 52 lines (+9/-4)3 files modifieddebian/changelog (+5/-2)
debian/control (+3/-2)
debian/maas-region-controller.postinst (+1/-0)
James Troup (elmo) wrote : | #1 |
James Troup (elmo) wrote : | #2 |
James Troup (elmo) wrote : | #3 |
Changed in maas: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
tags: | added: dns |
Raphaël Badin (rvb) wrote : | #4 |
Raphaël Badin (rvb) wrote : | #5 |
> This command is supposed to parse the existing named.conf.options file and only add the required stanza but I suppose that this
> didn't work in your case.
Well, more precisely, it seems the `edit_named_
Changed in maas: | |
milestone: | none → next |
Changed in maas: | |
milestone: | next → 1.8.0 |
Changed in maas: | |
assignee: | nobody → Ricardo Bánffy (rbanffy) |
status: | Confirmed → In Progress |
Changed in maas: | |
assignee: | Ricardo Bánffy (rbanffy) → nobody |
status: | In Progress → Triaged |
status: | Triaged → Confirmed |
Changed in maas: | |
assignee: | nobody → Mike Pontillo (mpontillo) |
Changed in maas: | |
assignee: | Mike Pontillo (mpontillo) → nobody |
Changed in maas: | |
assignee: | nobody → Mike Pontillo (mpontillo) |
Changed in maas: | |
assignee: | Mike Pontillo (mpontillo) → nobody |
milestone: | 1.8.0 → 1.8.1 |
Tom Haddon (mthaddon) wrote : | #6 |
Confirmed this is still an issue going from 1.5.4+bzr2294-
Christian Reis (kiko) wrote : | #7 |
Confirming, though if this looks too risky for 1.7 we may just have to release note it.
Barry Price (barryprice) wrote : | #8 |
These is a second issue here - the upgrades also adds the include mentioned in James's attachment:
include "/etc/bind/
This file, in my case, contained three lines:
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
Since our original config already set values for both allow-query and allow-query-cache, bind9 refused to start post-upgrade until I either commented out the duplicate line in the include file, or in our own config.
James Troup (elmo) wrote : | #9 |
This just broke ProdStack 4½ and all production services in it (including jujucharms, git.launchpad.net, SSO etc.).
Changed in maas: | |
milestone: | 1.8.1 → 1.9.0 |
assignee: | nobody → Mike Pontillo (mpontillo) |
Mike Pontillo (mpontillo) wrote : | #10 |
What I'd like to do is address the issue with the forwarders and DNSSEC issues first, since the MAAS configuration already contains options to set these. (at least it does in 1.8; in 1.7, only forwarders are allowed to be set) My plan is to ensure that these values are properly migrated from the BIND config to MAAS settings, rather than being silently deleted.
Barry, may I ask what values you had in the original config for allow-query, allow-recursion, and allow-query-cache? (were they set to something other than what MAAS set them to? If so, we may need a separate bug to address this. If not, it might be safe to simply delete these values from the original config - like we do with forwarders and DNSSEC - so that BIND doesn't crash on startup.) We'll need to study these options to see what the pitfalls are here.
Mike Pontillo (mpontillo) wrote : | #11 |
By the way, we're also planning on adding comments regarding the pitfalls of changing the now-MAAS-managed named.conf.options to the header, before we write out the generated configuration.
Changed in maas: | |
status: | Confirmed → Triaged |
Mike Pontillo (mpontillo) wrote : | #12 |
We just landed a series of changes (which should make it to 1.7.6 and 1.8.1) to:
* Ignore the "allow-query", "allow-recursion", and "allow-query-cache" options when writing the MAAS DNS options file, if they are already present within named.conf.options.
* Migrate the "forwarders" and "dnssec-validation" options from the user's configuration to the MAAS database, if they are present within named.conf.options during an upgrade or install of maas-region-
Sadly, we don't preserve the original comments inside named.conf.options, but that is a significant amount of additional effort.
Hopefully this will resolve the issue for everyone.
Changed in maas: | |
status: | Triaged → Fix Committed |
summary: |
- upgrade of MAAS removes local config for bind and breaks DNS + [SRU] upgrade of MAAS removes local config for bind and breaks DNS |
description: | updated |
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package maas - 1.7.6+bzr3376-
---------------
maas (1.7.6+
* New upstream release 1.7.6 bzr3376:
- Accept list of forwarders for upstream_dns rather than just
one. (LP: #1470585)
- Fix upgrade issue where it would remove custom DNS config,
potentially breaking DNS. (LP: #1413388)
[ Raphaël Badin ]
* Drop dependency on python-iscpy: the code has been integrated into
MAAS. (LP: #1413388).
[ Andres Rodriguez ]
* Refactor maas-dns upgrade code so it doesn't break local DNS config
and it gets migrated (LP: #1413388)
-- Andres Rodriguez <email address hidden> Fri, 03 Jul 2015 00:11:50 -0400
Changed in maas (Ubuntu Wily): | |
status: | New → Fix Released |
Hello James, or anyone else affected,
Accepted maas into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in maas (Ubuntu Trusty): | |
status: | New → Fix Committed |
tags: | added: verification-needed |
Changed in maas (Ubuntu Utopic): | |
status: | New → Fix Committed |
Adam Conrad (adconrad) wrote : | #15 |
Hello James, or anyone else affected,
Accepted maas into utopic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in maas (Ubuntu Vivid): | |
status: | New → Fix Committed |
Adam Conrad (adconrad) wrote : | #16 |
Hello James, or anyone else affected,
Accepted maas into vivid-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Mike Pontillo (mpontillo) wrote : | #17 |
I tested by installing bind9 on Trusty, then installing maas 1.7.6+bzr3376-
I verified that the forwarders were properly migrated to the MAAS configuration, as long as at least one cluster interface was set to be managing DNS.
The forwarders are migrated into the MAAS database, and values such as allow-query, allow-recursion, and allow-query-cache (which MAAS had previously always written into /etc/bind/
Hopefully this solves the issue for everyone.
Andres Rodriguez (andreserl) wrote : | #18 |
I've tested this in trusty, utopic and vivid. Confirm it works as expected as per Mike above.
tags: |
added: verification-done removed: verification-needed |
Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package maas - 1.7.6+bzr3376-
---------------
maas (1.7.6+
* debian/control: Make maas-dns a Dependy of maas-region-
* debian/
always run. (LP: #1413388)
-- Andres Rodriguez <email address hidden> Fri, 10 Jul 2015 13:47:40 -0400
Changed in maas (Ubuntu Trusty): | |
status: | Fix Committed → Fix Released |
Adam Conrad (adconrad) wrote : Update Released | #19 |
The verification of the Stable Release Update for maas has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #21 |
This bug was fixed in the package maas - 1.7.6+bzr3376-
---------------
maas (1.7.6+
* debian/control: Make maas-dns a Dependy of maas-region-
* debian/
always run. (LP: #1413388)
-- Andres Rodriguez <email address hidden> Fri, 10 Jul 2015 13:47:40 -0400
Changed in maas (Ubuntu Vivid): | |
status: | Fix Committed → Fix Released |
no longer affects: | maas (Ubuntu Utopic) |
David Lawson (deej) wrote : | #22 |
When upgrading from 1.5 to 1.7.6+bzr3376-
Junien Fridrick (axino) wrote : | #23 |
Also : would running "maas-region-admin edit_named_options --migrate-
Thanks
Changed in maas: | |
status: | Fix Committed → Fix Released |
status: | Fix Released → Fix Committed |
Changed in maas: | |
status: | Fix Committed → Fix Released |
The culprit is the fix for https:/ /bugs.launchpad .net/maas/ +bug/1275649.
It creates a `edit_named_ options` Django command that is run in postinst: that command is there to edit the named.conf.options file so that it includes the maas forwarders config. This command is supposed to parse the existing named.conf.options file and only add the required stanza but I suppose that this didn't work in your case.