bind: remove -r option for rndc-confgen

The named service fail to start as below:
 # systemctl  status  named.service
   named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2020-09-16 06:07:49 UTC; 9s ago
    Process: 134206 ExecStartPre=/usr/sbin/generate-rndc-key.sh (code=exited, status=1/FAILURE)

Sep 16 06:07:49 intel-x86-64 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134206]: Generating /etc/bind/rndc.key:
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134207]: rndc-confgen: The -r option has been deprecated.
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134208]: chown: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134209]: chmod: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Failed with result 'exit-code'.
Sep 16 06:07:49 intel-x86-64 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

It is because fail to execute "/usr/sbin/generate-rndc-key.sh" as
-r is deprecated since bind 9.13.x and the random function changes
in [1], so remove -r option to fix the above issue.

DNSSEC validation is now active by default after bind upgrade to 9.16.x,
but it is not in 9.11.x. So disable DNSSEC validation explicitly to
silence below message.
Sep 18 03:21:37 intel-x86-64 named[23272]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

[1]: https://gitlab.isc.org/isc-projects/bind9/-/commit/3a4f820d625c214cfb21f5e6d18ce9160d2a193b

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-connectivity/bind/bind-9.16.5/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.16.5/generate-rndc-key.sh
index ef915c0ae5a4611d72389100fc851df39afc182f..633e29c0e6157f465f22b0c9577b7813ccc6b6b1 100644 (file)
--- a/meta/recipes-connectivity/bind/bind-9.16.5/generate-rndc-key.sh
+++ b/meta/recipes-connectivity/bind/bind-9.16.5/generate-rndc-key.sh
@@ -2,7 +2,7 @@
 
 if [ ! -s /etc/bind/rndc.key ]; then
     echo -n "Generating /etc/bind/rndc.key:"
-    /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+    /usr/sbin/rndc-confgen -a -b 512
     chown root:bind /etc/bind/rndc.key
     chmod 0640 /etc/bind/rndc.key
 fi

diff --git a/meta/recipes-connectivity/bind/bind_9.16.5.bb b/meta/recipes-connectivity/bind/bind_9.16.5.bb
index 103192490a85244468baa32fe2fcf9a51c90dbe3..eb263c2eda6db846e1a41bb297bf7857fdca53bf 100644 (file)
--- a/meta/recipes-connectivity/bind/bind_9.16.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.5.bb
@@ -34,7 +34,7 @@ PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline"
 PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit"
 PACKAGECONFIG[python3] = "--with-python=yes --with-python-install-dir=${PYTHON_SITEPACKAGES_DIR} , --without-python, python3-ply-native,"
 
-EXTRA_OECONF = " --with-libtool --disable-devpoll --enable-epoll \
+EXTRA_OECONF = " --with-libtool --disable-devpoll --disable-auto-validation --enable-epoll \
                  --with-gssapi=no --with-lmdb=no --with-zlib \
                  --sysconfdir=${sysconfdir}/bind \
                  --with-openssl=${STAGING_DIR_HOST}${prefix} \