Comment 5 for bug 162821

Yes, it's a bug, or more accurately a whole mess of bugs, probably in both bind9 and in gbindadmin, but especially in gbindadmin. Changing bind to match gbindadmin would be a huge exercise of the tail wagging the dog. The administrative tool should follow the underlying program, not the other way around.

gbindadmin assumes that bind will be run in a secure manner. As it ships from Ubuntu, the default install of bind9 is to run with suid root, and not in a chroot jail, both of which are deprecated in the bind9 documentation. The fix is as follows:

-OPTIONS=""
+OPTIONS="-u bind -t /var/lib/named/ -c /etc/bind/named.conf"

(see /etc/init.d/bind9)

The default command channel in gbindadmin's named.conf (127.0.0.1) seems to cause conflicts. It should be changed to 127.0.0.3 (or whatever you favorite number is. I got the number from the bind9-doc documentation), and a setting created that will allow for a configurable control address. (The same setting should be used when gbindadmin writes the zone files, too.)

gbindadmin's install script should check to see what the OPTIONS are (the pun was begging to be used) and offer to change the OPTIONS, preferably with an editable field because there are so many different possible use cases with bind.

gbindadmin's default chroot should be /var/lib/named instead of /var/named. There exists already a setting to change it, but out of the box, the config should "just work".

gbindadmin should put the named.conf file in /etc/bind/named.conf instead of /etc/named.conf, and should add a setting that allows for customizable path to named.conf. The workaround for now is to use a hardlink between the two (for some reason, a symlink won't work), viz:

# ln $CHROOTDIR/bind/named.conf $CHROOTDIR/named.conf # I may not be correct on the actual variable name; but you get the idea.

Similarly, the rndc key generation (i.e., rndc-confgen) is asymetric between bind9 and gbindadmin. The default key length of bind9's install script, rndc-confgen, and gbindadmin should all be 256, as it is in gbindadmin, IMHO. But whatever key length you pick, it should be the same between the three of them. Further, both bind9 and gbindadmin should run rndc-confgen with the correct options, to wit:

# rndc-confgen -u bind -a -b 256 -s 127.0.0.3 -t /var/lib/named -c /etc/bind/rndc.key

gbindadmin's "Reload Zones" function is also broken, I think because of the same wrong paths and unset options for the "rndc reload" command as for the rndc-confgen originally.

gbindadmin's named.conf file seems to be broken on the keys, too. I had to delete the "key" stanza and remove the reference to the rndc_key in the "controls" stanza. The following is what the controls stanza looks like after the change:

#controls {
# inet 127.0.0.3 allow { localhost ; } ;
#};

(obviously, without the comment marks).

Finally, the man page for gbindadmin should be corrected and expanded. Notably, the man page states that gbindadmin doesn't have any options, which is true insofar as the command line goes, but untrue insofar as configuration goes (see /etc/gbindadmin/settings.conf). Certainly at a minimum, the location and meaning of each of the settings should be documented in the man page. Even better would be some discussion of the assumed configuration of named.

This all took me about three days to figure out, and I'd like to spare others the pain and frustration.

I really, really like gbindadmin once it's up and working, especially in conjunction with gdhcpd. I'm planning on including all the gadmintools as a part of the GUI desktop server product I expect to release in Q3 of 2008.

Happy Trails,

Loye Young
Isaac & Young Computer Company
Laredo, Texas
http://www.iycc.biz