OK, now that I've thought about this some more, we should _not_ be allowing the dhcp server to read the rndc.key.
The rndc.key key isn't for dynamic updates, it's for use by the rndc utility for server management. It would typically be used by sysadmins inside the "controls" statement in the config file. Reusing this same key for dynamic updates is a security issue, as it may allow more permissions than what is intended. Dynamic updates should be using other keys, not that particular one. Perhaps we should define a standard location for dynamic update keys that could be used by both bind9 and dhcp, and we could add that to the apparmor profile...perhaps a "keys" subdirectory? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
