Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Nov 2011 07:53:36 -0500
From:      "Howard Leadmon" <>
To:        <>
Subject:   BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
Message-ID:  <014201cca9de$ec1429c0$c43c7d40$>

Next in thread | Raw E-Mail | Index | Archive | Help

  I just ran through on one of my older FreeBSD servers, and updated from
BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and
after doing this bind crashes.

I am seeing:

Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named
-u bind
Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var'
'--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random'
'--with-openssl=/usr/local' '--with-libxml2=/usr/local'
'--with-idn=/usr/local' '--with-libiconv=/usr/local'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads'
'--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4'
'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2
-fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS='
'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'
Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads
Nov 23 06:35:19 named[24537]: using up to 4096 sockets
Nov 23 06:35:19 named[24537]: initializing DST: openssl failure
Nov 23 06:35:19 named[24537]: exiting (due to fatal error)

Now as I knew my this older machine (on my hitlist to be upgraded) and the
supplied OpenSSL had issues of it's own, I also installed the current
OpenSSL from the ports to use, which BIND is built against.    After doing
the update to the -P1 version, I now find that when trying to start it dies
with the above error.

So I fired up my google-fu and found refrences stating I needed to get the
shared libs from the OpenSSL engines directory over into the chrooted
/var/named directory, so this I did:





Again I tried to start named, but no love.      So I tried starting it
without the chroot environment, and sure enough it worked fine!    As
another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and
tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that
also started up just fine!    

 So at this point, I had to run without chroot,  and have a current OpenSSL
which I think I may need as I am doing DNSSEC, or I can back off to the OS
supplied ancient version of SSL and then have a working chroot.   Not sure
what is up with this, but if anyone has any hints or tips on how to resolve
this issue, I would sure be thankful for the pointers.    Not sure why this
all of a sudden decided to break, but it was sure driving me up a wall for a
bit today..

Howard Leadmon 

Want to link to this message? Use this URL: <$ec1429c0$c43c7d40$>