Re: [gentoo-user] Re: problem with named restarting
On Sat, 16 Nov 2019 16:12:53 -0500, Ian Zimmerman wrote: > > On 2019-09-19 14:23, John Covici wrote: > > > Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: > > INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace > > Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion > > failure) > > > > It looks like a bug. Can you build with -g and without stripping? > > Sorry it took so long to get back to you. So, I made sure glibc had -gdb and recompiled and recompiled named, but still no symbols. It was an assertion that failed, maybe this is the reason. I can send you the core dump if you would be interested. Thanks. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Re: problem with named restarting
On Sat, 16 Nov 2019 16:12:53 -0500, Ian Zimmerman wrote: > > On 2019-09-19 14:23, John Covici wrote: > > > Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: > > INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace > > Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ?? > > Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion > > failure) > > > > It looks like a bug. Can you build with -g and without stripping? Hmmm, I have split-debug on and I thought I had -g in my flags, but I will check. Does it go in CFLAGS .etc? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Re: problem with named restarting
On Thu, 19 Sep 2019 12:43:39 -0400, Ian Zimmerman wrote: > > On 2019-09-18 12:00, John Covici wrote: > > > Thanks, I will try that, do you know why named is restarting, this is > > a much worse problem? > > As of now I don't know. I may be able to guess if you post the backtrace. OK, here is what I have. Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ?? Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion failure) -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Re: problem with named restarting
On Wed, 18 Sep 2019 11:47:37 -0400, Ian Zimmerman wrote: > > On 2019-09-17 20:40, John Covici wrote: > > > On Tue, 17 Sep 2019 18:33:51 -0400, > > Ian Zimmerman wrote: > > > > > > On 2019-09-17 13:01, John Covici wrote: > > > > > > > > > Also, when I restart named (which I have now done automatically by > > > > > > systemd) it gives me a lot of errors like the following: > > > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: > > > > > > no > > > > > > valid signature found > > > > > > or this: > > > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no > > > > > > valid signature found > > > > > > > > > > This looks like a DNSSEC problem. I don't run bind on my gentoo > > > > > system, > > > > > but I did this: > > > > > > > > [snipped] > > > > > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > > > > > libcrypto) part of the output? > > > > > > > libcrypto is there along with libgnutls, but no libssl. > > > > > > Ok, so it probably is built with DNSSEC support. > > > > > > How do you populate your cache? Do you recurse to the root servers, or > > > do you have a "forwarder" (for example, your ISP server) to which you > > > pass all queries that miss the cache? > > > > I have more than one, but they are forwarders. > > Then it's likely a problem with one of them. For DNSSEC to work, all > the servers that handle the query must support it. > > One way to get rid of the warning is to just disable DNSSEC at runtime. > In /etc/bind/named.conf (or a file included by it): > > options { dnssec-enable no; }; > > Reference: > https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar > Thanks, I will try that, do you know why named is restarting, this is a much worse problem? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Re: problem with named restarting
> > > which left me puzzled: the libressl flag docstring talks about a ssl > > flag which doesn't exist for this package. > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > > libcrypto) part of the output? > libcrypto is there along with libgnutls, but no libssl. > > FWIW, on 9.14.5 with USE="berkdb caps dlz xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -geoip2 -gssapi -json -ldap -libressl -lmdb -mysql -odbc -postgres -python (-selinux) -static-libs -urandom" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_6 -python3_5 -python3_7" ldd shows there's no libgnutls, just libcrypto (from openssl).
Re: [gentoo-user] Re: problem with named restarting
On Tue, 17 Sep 2019 18:33:51 -0400, Ian Zimmerman wrote: > > On 2019-09-17 13:01, John Covici wrote: > > > > > Also, when I restart named (which I have now done automatically by > > > > systemd) it gives me a lot of errors like the following: > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no > > > > valid signature found > > > > or this: > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no > > > > valid signature found > > > > > > This looks like a DNSSEC problem. I don't run bind on my gentoo system, > > > but I did this: > > > > [snipped] > > > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > > > libcrypto) part of the output? > > > libcrypto is there along with libgnutls, but no libssl. > > Ok, so it probably is built with DNSSEC support. > > How do you populate your cache? Do you recurse to the root servers, or > do you have a "forwarder" (for example, your ISP server) to which you > pass all queries that miss the cache? I have more than one, but they are forwarders. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] Re: problem with named restarting
On Tue, 17 Sep 2019 12:14:14 -0400, Ian Zimmerman wrote: > > On 2019-09-17 03:30, John Covici wrote: > > > Hi. I am having a very annoying problem with named. I am using > > net-dns/bind-9.14.4 which I actually updated from a previous version > > which also had the problem. It seems that an assertion has failed: > > Sep 17 03:10:53 ccs.covici.com named[1857864]: resolver.c:4917: > > INSIST(dns_name_issubdomain(>name, >domain)) failed, back > > trace > > > > There is a back trace which I can supply if that would help. There is > > also a coredump. > > > > Also, when I restart named (which I have now done automatically by > > systemd) it gives me a lot of errors like the following: > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no > > valid signature found > > or this: > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no > > valid signature found > > This looks like a DNSSEC problem. I don't run bind on my gentoo system, > but I did this: > > $ equery -C u net-dns/bind > [ Legend : U - final flag setting for installation] > [: I - package is installed with flag ] > [ Colors : set, unset ] > * Found these USE flags for net-dns/bind-9.14.4: > U I > + + berkdb : Add support for sys-libs/db (Berkeley DB for > MySQL) > + - caps : Use Linux capabilities library to control > privilege > - - dlz : Enables dynamic loaded zones, 3rd party > extension > - - dnsrps : Enable the DNS Response Policy Service > (DNSRPS) API, a mechanism to allow an > external response policy provider > - - dnstap : Enables dnstap packet logging > - - doc : Add extra documentation (API, Javadoc, etc). > It is recommended to enable per > package instead of globally > - - fixed-rrset : Enables fixed rrset-order option > - - geoip: Add geoip support for country and city lookup > based on IPs > - - gost : Enables gost OpenSSL engine support > - - gssapi : Enable gssapi support > + + json : Enable JSON statistics channel > - - ldap : Add LDAP support (Lightweight Directory > Access Protocol) > - - libressl : Use dev-libs/libressl instead of > dev-libs/openssl when applicable (see also the ssl > useflag) > - - lmdb : Enable LMDB support to store configuration > for 'addzone' zones > - - mysql: Add mySQL Database support > - - odbc : Add ODBC Support (Open DataBase Connectivity) > - - postgres : Add support for the postgresql database > - - python : Add optional support/bindings for the Python > language > + + python_targets_python2_7 : Build with Python 2.7 > - - python_targets_python3_5 : Build with Python 3.5 > + + python_targets_python3_6 : Build with Python 3.6 > - - static-libs : Build static versions of dynamic libraries as > well > - - urandom : Use /dev/urandom instead of /dev/random > + + xml : Add support for XML files > + + zlib : Add support for zlib (de)compression > > which left me puzzled: the libressl flag docstring talks about a ssl > flag which doesn't exist for this package. > > Try running "ldd /usr/sbin/named". Is openssl (ie. libssl and > libcrypto) part of the output? libcrypto is there along with libgnutls, but no libssl. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com