BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
howard at leadmon.net
Wed Nov 23 12:53:40 UTC 2011
I just ran through on one of my older FreeBSD servers, and updated from
BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and
after doing this bind crashes.
I am seeing:
Nov 23 06:35:19 named: starting BIND 9.8.1-P1 -u bind -t /var/named
Nov 23 06:35:19 named: built with '--localstatedir=/var'
'--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads'
'--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2
-fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS='
'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'
Nov 23 06:35:19 named: found 4 CPUs, using 4 worker threads
Nov 23 06:35:19 named: using up to 4096 sockets
Nov 23 06:35:19 named: initializing DST: openssl failure
Nov 23 06:35:19 named: exiting (due to fatal error)
Now as I knew my this older machine (on my hitlist to be upgraded) and the
supplied OpenSSL had issues of it's own, I also installed the current
OpenSSL from the ports to use, which BIND is built against. After doing
the update to the -P1 version, I now find that when trying to start it dies
with the above error.
So I fired up my google-fu and found refrences stating I needed to get the
shared libs from the OpenSSL engines directory over into the chrooted
/var/named directory, so this I did:
lib4758cca.so libcapi.so libgmp.so libpadlock.so
libaep.so libchil.so libgost.so libsureware.so
libatalla.so libcswift.so libnuron.so libubsec.so
Again I tried to start named, but no love. So I tried starting it
without the chroot environment, and sure enough it worked fine! As
another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and
tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that
also started up just fine!
So at this point, I had to run without chroot, and have a current OpenSSL
which I think I may need as I am doing DNSSEC, or I can back off to the OS
supplied ancient version of SSL and then have a working chroot. Not sure
what is up with this, but if anyone has any hints or tips on how to resolve
this issue, I would sure be thankful for the pointers. Not sure why this
all of a sudden decided to break, but it was sure driving me up a wall for a
More information about the freebsd-questions