Re: OpenSSL problem: bind98-base FreeBSD port
In article , Matthew Pounsett wrote: > On 2012/07/08, at 20:40, Doug Barton wrote: > > > On 07/08/2012 17:33, Matthew Pounsett wrote: > >> > >> On 2012/07/08, at 20:29, Matthew Pounsett wrote: > >> > >>> > >>> On 2012/07/08, at 20:26, Mark Andrews wrote: > >>> > > One can also build named w/o GOST support if one wants. We statically > link all the engines when building named on Windows. > >>> > >>> Unfortunately the port doesn't provide the config hooks to disable GOST > >>> support. > >> > >> Actually.. how do you go about doing that anyway? I was just taking a > >> look at writing a patch for the port to allow GOST to be turned off, but > >> BIND's configure script doesn't have any information in it about disabling > >> individual ciphers. > > > > I wouldn't accept it anyway. For better or worse, GOST is part of the > > protocol. > > Okay. > > So to answer my earlier question, what file were you talking about copying > into the chroot environment for BIND? The shared library. When you link dynamically, all the libraries have to be in $chroot/usr/lib. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message <4ffa2871.2020...@dougbarton.us>, Doug Barton writes: > On 07/08/2012 17:33, Matthew Pounsett wrote: > > > > On 2012/07/08, at 20:29, Matthew Pounsett wrote: > > > >> > >> On 2012/07/08, at 20:26, Mark Andrews wrote: > >> > >>> > >>> One can also build named w/o GOST support if one wants. We statically > >>> link all the engines when building named on Windows. > >> > >> Unfortunately the port doesn't provide the config hooks to disable GOST > >> support. > > > > Actually.. how do you go about doing that anyway? I was just taking a look > > at writing a patch for the port to allow GOST to > be turned off, but BIND's configure script doesn't have any information in > it about disabling individual ciphers. > > I wouldn't accept it anyway. For better or worse, GOST is part of the > protocol. > > Doug GOST is not a manditory part of DNSSEC. It is entirely optional whether a site supports it or not. If a site doesn't support GOST then the zone is treated as insecure. It doesn't break anything to disable GOST support. This is no worse that deciding whether to link with OpenSSL or not. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:40, Doug Barton wrote: > On 07/08/2012 17:33, Matthew Pounsett wrote: >> >> On 2012/07/08, at 20:29, Matthew Pounsett wrote: >> >>> >>> On 2012/07/08, at 20:26, Mark Andrews wrote: >>> One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. >>> >>> Unfortunately the port doesn't provide the config hooks to disable GOST >>> support. >> >> Actually.. how do you go about doing that anyway? I was just taking a look >> at writing a patch for the port to allow GOST to be turned off, but BIND's >> configure script doesn't have any information in it about disabling >> individual ciphers. > > I wouldn't accept it anyway. For better or worse, GOST is part of the > protocol. Okay. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message <6a477852-8c67-421a-850c-7144a37b8...@conundrum.com>, Matthew Pounse tt writes: > > On 2012/07/08, at 20:29, Matthew Pounsett wrote: > > >=20 > > On 2012/07/08, at 20:26, Mark Andrews wrote: > >=20 > >>=20 > >> One can also build named w/o GOST support if one wants. We = > statically > >> link all the engines when building named on Windows. > >=20 > > Unfortunately the port doesn't provide the config hooks to disable = > GOST support. > > Actually.. how do you go about doing that anyway? I was just taking a = > look at writing a patch for the port to allow GOST to be turned off, but = > BIND's configure script doesn't have any information in it about = > disabling individual ciphers. All the other ciphers are built into OpenSSL so they don't need configure options. ./configure --with-gost=no One can disable individual DNSSEC key algorithms at runtime via named.conf. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/2012 17:33, Matthew Pounsett wrote: > > On 2012/07/08, at 20:29, Matthew Pounsett wrote: > >> >> On 2012/07/08, at 20:26, Mark Andrews wrote: >> >>> >>> One can also build named w/o GOST support if one wants. We statically >>> link all the engines when building named on Windows. >> >> Unfortunately the port doesn't provide the config hooks to disable GOST >> support. > > Actually.. how do you go about doing that anyway? I was just taking a look > at writing a patch for the port to allow GOST to be turned off, but BIND's > configure script doesn't have any information in it about disabling > individual ciphers. I wouldn't accept it anyway. For better or worse, GOST is part of the protocol. Doug -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:29, Matthew Pounsett wrote: > > On 2012/07/08, at 20:26, Mark Andrews wrote: > >> >> One can also build named w/o GOST support if one wants. We statically >> link all the engines when building named on Windows. > > Unfortunately the port doesn't provide the config hooks to disable GOST > support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:26, Mark Andrews wrote: > > One can also build named w/o GOST support if one wants. We statically > link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message , Matthew Pounse tt writes: > > On 2012/07/08, at 17:46, Doug Barton wrote: > > > On 07/08/2012 13:40, Matthew Pounsett wrote: > >> Yeah, I have to wonder if there's something that can be done in ports to p > revent this from being an issue. > > > > You need to ask the nice openssl people to turn gost into a library > > instead of an engine. Meanwhile, copying the file into the chroot will > > patch over the problem. > > Statically linking openssl seems to have fixed it. > > But, what file are you talking about? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 17:46, Doug Barton wrote: > On 07/08/2012 13:40, Matthew Pounsett wrote: >> Yeah, I have to wonder if there's something that can be done in ports to >> prevent this from being an issue. > > You need to ask the nice openssl people to turn gost into a library > instead of an engine. Meanwhile, copying the file into the chroot will > patch over the problem. Statically linking openssl seems to have fixed it. But, what file are you talking about? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/2012 13:40, Matthew Pounsett wrote: > Yeah, I have to wonder if there's something that can be done in ports to > prevent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine. Meanwhile, copying the file into the chroot will patch over the problem. -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 15:04, Michael Sinatra wrote: > What makes me doubt what I just said is that this has been an issue for more > than a year now, so I am not sure why you have escaped it for so long. I > assume you had openssl 1.0.x installed before you upgraded it--or was it an > earlier version? I keep things pretty up to date, and this machine isn't that old anyway. It's possible that due to order of operations when I was building things that bind was previously linked against the system openssl libraries, rather than the ports version. > At any rate, if you run make config in /usr/ports/security/openssl, it gives > you the option of compiling the libraries statically. I have successfully > done this in the past and it has worked. However, anything else that is > currently depending on the openssl shared library from ports (as opposed to > the bundled system) will need to be recompiled before it will work, as will > bind 9.8. I'll give that a shot.. thanks, it sounds promising. > Doug Barton may have some better ideas as to how best to make it all work. Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/12 09:54, Matthew Pounsett wrote: 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) In particular the logs above suggest that named is unable to find the necessary openssl libraries. In the case where openssl 1.x.x is compiled with shared libraries enabled, named can't see the openssl engines (necessary for GOST crypto support) in its chrooted environment. What makes me doubt what I just said is that this has been an issue for more than a year now, so I am not sure why you have escaped it for so long. I assume you had openssl 1.0.x installed before you upgraded it--or was it an earlier version? At any rate, if you run make config in /usr/ports/security/openssl, it gives you the option of compiling the libraries statically. I have successfully done this in the past and it has worked. However, anything else that is currently depending on the openssl shared library from ports (as opposed to the bundled system) will need to be recompiled before it will work, as will bind 9.8. Doug Barton may have some better ideas as to how best to make it all work. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OpenSSL problem: bind98-base FreeBSD port
I upgraded my OpenSSL and BIND ports on one of my machines yesterday afternoon, and ended up with BIND being unable to start due to some problem with OpenSSL. Unfortunately, it's not giving me any real information to go on about what the problem is. > openssl version WARNING: can't open config file: /usr/local/openssl/openssl.cnf OpenSSL 1.0.1c 10 May 2012 > sudo named -g -t /var/named/authoritative/ -u bind -d 100 08-Jul-2012 16:45:00.347 starting BIND 9.8.3-P1 -g -t /var/named/authoritative/ -u bind -d 100 08-Jul-2012 16:45:00.347 built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--with-idn=/usr/local' '--with-libiconv=/usr/local' '--enable-largefile' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd8.2' 'build_alias=x86_64-portbld-freebsd8.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fno-strict-aliasing' 08-Jul-2012 16:45:00.347 08-Jul-2012 16:45:00.347 BIND 9 is maintained by Internet Systems Consortium, 08-Jul-2012 16:45:00.347 Inc. (ISC), a non-profit 501(c)(3) public-benefit 08-Jul-2012 16:45:00.347 corporation. Support and training for BIND 9 are 08-Jul-2012 16:45:00.347 available at https://www.isc.org/support 08-Jul-2012 16:45:00.347 08-Jul-2012 16:45:00.347 found 4 CPUs, using 4 worker threads 08-Jul-2012 16:45:00.349 using up to 4096 sockets 08-Jul-2012 16:45:00.349 Registering DLZ_dlopen driver 08-Jul-2012 16:45:00.349 Registering SDLZ driver 'dlopen' 08-Jul-2012 16:45:00.349 Registering DLZ driver 'dlopen' 08-Jul-2012 16:45:00.351 decrement_reference: delete from rbt: 0x802467058 . 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) I found multiple versions of libgcrypt installed, which was generating some compile warnings, but cleaning that up didn't help. There is only one version of openssl installed, so no conflicts there.. > ls -d /var/db/pkg/*ssl* /var/db/pkg/openssl-1.0.1_3 I can recompile without SSL to get my name servers running again, but that's not really sustainable. Does anyone have any suggestions for how to get more information out of BIND about what exactly is failing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolve only authoritative domain for internet/public addresses
On 07/07/2012 23:15, Mr BeEye wrote: > Hello all. > > Let's have a finite list of IPv4 (private and public) addresses, e.g. > {A, B, C, ... N}. > > It is possible to configure BIND in the way: > 1) BIND resolves EVERYTHING for {A, B, C, ... N}. It sounds like you're wanting to set up a resolver for your network. That's fine, you can do that, just use the appropriate allow-query ACLs. You can find the details in the BIND ARM. > 2) BIND resolves ONLY its authoritative domain for internet excluding > {A, B, C, ..., N}. That sounds like you want to set up an authoritative name server for your zones that will be listed in the NS records. That's also fine, but it should be completely separate from your resolver to avoid problems with cache pollution. hth, Doug -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolve only authoritative domain for internet/public addresses
On 07/08/2012 09:32 AM, Jukka Pakkanen wrote: Why not just: acl "X" {A; B, C; ...; }; options { ... allow-query { "any"; }; allow-recursion { "X"; }; ...}; Doh, of course. This is a better idea, thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolve only authoritative domain for internet/public addresses
Why not just: acl "X" {A; B, C; ...; }; options { ... allow-query { "any"; }; allow-recursion { "X"; }; ...}; Jukka 8.7.2012 11:24, Phil Mayers kirjoitti: On 07/08/2012 07:15 AM, Mr BeEye wrote: Hello all. Let's have a finite list of IPv4 (private and public) addresses, e.g. {A, B, C, ... N}. It is possible to configure BIND in the way: 1) BIND resolves EVERYTHING for {A, B, C, ... N}. 2) BIND resolves ONLY its authoritative domain for internet excluding {A, B, C, ..., N}. Yes. Use a view: view internal { match-clients { a; b; c; ... n; }; recursion yes; zone ... { }: }; view external { zone ... { }; }; However, views are tedious in many ways. You need a copy of your authoritative zones in each view, and have to arrange the AXFR/NOTIFY to go to the right place. It's much easier IMO to run two different copies of bind on two different IPs (or machines). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolve only authoritative domain for internet/public addresses
On 07/08/2012 07:15 AM, Mr BeEye wrote: Hello all. Let's have a finite list of IPv4 (private and public) addresses, e.g. {A, B, C, ... N}. It is possible to configure BIND in the way: 1) BIND resolves EVERYTHING for {A, B, C, ... N}. 2) BIND resolves ONLY its authoritative domain for internet excluding {A, B, C, ..., N}. Yes. Use a view: view internal { match-clients { a; b; c; ... n; }; recursion yes; zone ... { }: }; view external { zone ... { }; }; However, views are tedious in many ways. You need a copy of your authoritative zones in each view, and have to arrange the AXFR/NOTIFY to go to the right place. It's much easier IMO to run two different copies of bind on two different IPs (or machines). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users