BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..

Howard Leadmon howard at leadmon.net
Wed Nov 23 12:53:40 UTC 2011 

  I just ran through on one of my older FreeBSD servers, and updated from
BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and
after doing this bind crashes.

I am seeing:


Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named
-u bind
Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var'
'--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random'
'--with-openssl=/usr/local' '--with-libxml2=/usr/local'
'--with-idn=/usr/local' '--with-libiconv=/usr/local'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads'
'--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4'
'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2
-fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS='
'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'
Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads
Nov 23 06:35:19 named[24537]: using up to 4096 sockets
Nov 23 06:35:19 named[24537]: initializing DST: openssl failure
Nov 23 06:35:19 named[24537]: exiting (due to fatal error)


Now as I knew my this older machine (on my hitlist to be upgraded) and the
supplied OpenSSL had issues of it's own, I also installed the current
OpenSSL from the ports to use, which BIND is built against.    After doing
the update to the -P1 version, I now find that when trying to start it dies
with the above error.

So I fired up my google-fu and found refrences stating I needed to get the
shared libs from the OpenSSL engines directory over into the chrooted
/var/named directory, so this I did:

/var/named/usr:
local

/var/named/usr/local:
lib

/var/named/usr/local/lib:
engines

/var/named/usr/local/lib/engines:
lib4758cca.so   libcapi.so      libgmp.so       libpadlock.so
libaep.so       libchil.so      libgost.so      libsureware.so
libatalla.so    libcswift.so    libnuron.so     libubsec.so


Again I tried to start named, but no love.      So I tried starting it
without the chroot environment, and sure enough it worked fine!    As
another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and
tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that
also started up just fine!    

 So at this point, I had to run without chroot,  and have a current OpenSSL
which I think I may need as I am doing DNSSEC, or I can back off to the OS
supplied ancient version of SSL and then have a working chroot.   Not sure
what is up with this, but if anyone has any hints or tips on how to resolve
this issue, I would sure be thankful for the pointers.    Not sure why this
all of a sudden decided to break, but it was sure driving me up a wall for a
bit today..


---
Howard Leadmon

More information about the freebsd-questions mailing list