Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Sat, 16 Nov 2019 16:12:53 -0500,
Ian Zimmerman wrote:
> 
> On 2019-09-19 14:23, John Covici wrote:
> 
> > Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: 
> > INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion 
> > failure)
> > 
> 
> It looks like a bug.  Can you build with -g and without stripping?
> 
> Sorry it took so long to get back to you.

So, I made sure glibc had -gdb and recompiled and recompiled named,
but still no symbols.  It was an assertion that failed, maybe this is
the reason.  I can send you the core dump if you would be interested.

Thanks.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Sat, 16 Nov 2019 16:12:53 -0500,
Ian Zimmerman wrote:
> 
> On 2019-09-19 14:23, John Covici wrote:
> 
> > Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: 
> > INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ??
> > Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion 
> > failure)
> > 
> 
> It looks like a bug.  Can you build with -g and without stripping?

Hmmm,  I have split-debug on and I thought I had -g in my flags, but I
will check.  Does it go in CFLAGS .etc?


-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Thu, 19 Sep 2019 12:43:39 -0400,
Ian Zimmerman wrote:
> 
> On 2019-09-18 12:00, John Covici wrote:
> 
> > Thanks, I will try that, do you know why named is restarting, this is
> > a much worse problem?
> 
> As of now I don't know.  I may be able to guess if you post the backtrace.

OK, here is what I have.
Sep 18 22:25:45 ccs.covici.com named[4207]: resolver.c:4917: 
INSIST(dns_name_issubdomain(>name, >domain)) failed, back trace
Sep 18 22:25:45 ccs.covici.com named[4207]: #0 0x5645afbc0610 in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #1 0x7f64def5037a in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #2 0x7f64df10168b in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #3 0x7f64df1030cc in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #4 0x7f64df108025 in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #5 0x7f64df109a44 in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #6 0x7f64def6e329 in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #7 0x7f64de8aa448 in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: #8 0x7f64de5ff62f in ??
Sep 18 22:25:45 ccs.covici.com named[4207]: exiting (due to assertion failure)

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Wed, 18 Sep 2019 11:47:37 -0400,
Ian Zimmerman wrote:
> 
> On 2019-09-17 20:40, John Covici wrote:
> 
> > On Tue, 17 Sep 2019 18:33:51 -0400,
> > Ian Zimmerman wrote:
> > > 
> > > On 2019-09-17 13:01, John Covici wrote:
> > > 
> > > > > > Also, when I restart named (which I have now done automatically by
> > > > > > systemd) it gives me a lot of errors like the following:
> > > > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: 
> > > > > > no
> > > > > > valid signature found
> > > > > > or this:
> > > > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no
> > > > > > valid signature found
> > > > > 
> > > > > This looks like a DNSSEC problem.  I don't run bind on my gentoo 
> > > > > system,
> > > > > but I did this:
> > > 
> > > > > [snipped]
> > > 
> > > > > Try running "ldd /usr/sbin/named".  Is openssl (ie. libssl and
> > > > > libcrypto) part of the output?
> > > 
> > > > libcrypto is there along with libgnutls, but no libssl.
> > > 
> > > Ok, so it probably is built with DNSSEC support.
> > > 
> > > How do you populate your cache?  Do you recurse to the root servers, or
> > > do you have a "forwarder" (for example, your ISP server) to which you
> > > pass all queries that miss the cache?
> > 
> > I have more than one, but they are forwarders. 
> 
> Then it's likely a problem with one of them.  For DNSSEC to work, all
> the servers that handle the query must support it.
> 
> One way to get rid of the warning is to just disable DNSSEC at runtime.
> In /etc/bind/named.conf (or a file included by it):
> 
> options { dnssec-enable no; };
> 
> Reference:
> https://downloads.isc.org/isc/bind9/9.14.0/doc/arm/Bv9ARM.ch05.html#options_grammar
> 

Thanks, I will try that, do you know why named is restarting, this is a much
worse problem?

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: [gentoo-user] Re: problem with named restarting

[Adam Carter]

>
> > which left me puzzled: the libressl flag docstring talks about a ssl
> > flag which doesn't exist for this package.
> >
> > Try running "ldd /usr/sbin/named".  Is openssl (ie. libssl and
> > libcrypto) part of the output?
> libcrypto is there along with libgnutls, but no libssl.
>
>
FWIW, on 9.14.5 with
USE="berkdb caps dlz xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip
-geoip2 -gssapi -json -ldap -libressl -lmdb -mysql -odbc -postgres -python
(-selinux) -static-libs -urandom" ABI_X86="(64)" PYTHON_TARGETS="python2_7
python3_6 -python3_5 -python3_7"

ldd shows there's no libgnutls, just libcrypto (from openssl).

Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Tue, 17 Sep 2019 18:33:51 -0400,
Ian Zimmerman wrote:
> 
> On 2019-09-17 13:01, John Covici wrote:
> 
> > > > Also, when I restart named (which I have now done automatically by
> > > > systemd) it gives me a lot of errors like the following:
> > > > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no
> > > > valid signature found
> > > > or this:
> > > > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no
> > > > valid signature found
> > > 
> > > This looks like a DNSSEC problem.  I don't run bind on my gentoo system,
> > > but I did this:
> 
> > > [snipped]
> 
> > > Try running "ldd /usr/sbin/named".  Is openssl (ie. libssl and
> > > libcrypto) part of the output?
> 
> > libcrypto is there along with libgnutls, but no libssl.
> 
> Ok, so it probably is built with DNSSEC support.
> 
> How do you populate your cache?  Do you recurse to the root servers, or
> do you have a "forwarder" (for example, your ISP server) to which you
> pass all queries that miss the cache?

I have more than one, but they are forwarders. 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: [gentoo-user] Re: problem with named restarting

[John Covici]

On Tue, 17 Sep 2019 12:14:14 -0400,
Ian Zimmerman wrote:
> 
> On 2019-09-17 03:30, John Covici wrote:
> 
> > Hi.  I am having a very annoying problem with named.  I am using
> > net-dns/bind-9.14.4 which I actually updated from a previous version
> > which also had the problem. It seems that an assertion has failed:
> > Sep 17 03:10:53 ccs.covici.com named[1857864]: resolver.c:4917:
> > INSIST(dns_name_issubdomain(>name, >domain)) failed, back
> > trace
> > 
> > There is a back trace which I can supply if that would help.  There is
> > also a coredump.
> > 
> > Also, when I restart named (which I have now done automatically by
> > systemd) it gives me a lot of errors like the following:
> > Sep 17 03:11:59 ccs.covici.com named[3299910]: validating arpa/DS: no
> > valid signature found
> > or this:
> > Sep 17 03:12:00 ccs.covici.com named[3299910]: validating com/DS: no
> > valid signature found
> 
> This looks like a DNSSEC problem.  I don't run bind on my gentoo system,
> but I did this:
> 
> $ equery -C u net-dns/bind
> [ Legend : U - final flag setting for installation]
> [: I - package is installed with flag ]
> [ Colors : set, unset ]
>  * Found these USE flags for net-dns/bind-9.14.4:
>  U I
>  + + berkdb   : Add support for sys-libs/db (Berkeley DB for 
> MySQL)
>  + - caps : Use Linux capabilities library to control 
> privilege
>  - - dlz  : Enables dynamic loaded zones, 3rd party 
> extension
>  - - dnsrps   : Enable the DNS Response Policy Service 
> (DNSRPS) API, a mechanism to allow an
> external response policy provider
>  - - dnstap   : Enables dnstap packet logging
>  - - doc  : Add extra documentation (API, Javadoc, etc). 
> It is recommended to enable per
> package instead of globally
>  - - fixed-rrset  : Enables fixed rrset-order option
>  - - geoip: Add geoip support for country and city lookup 
> based on IPs
>  - - gost : Enables gost OpenSSL engine support
>  - - gssapi   : Enable gssapi support
>  + + json : Enable JSON statistics channel
>  - - ldap : Add LDAP support (Lightweight Directory 
> Access Protocol)
>  - - libressl : Use dev-libs/libressl instead of 
> dev-libs/openssl when applicable (see also the ssl
> useflag)
>  - - lmdb : Enable LMDB support to store configuration 
> for 'addzone' zones
>  - - mysql: Add mySQL Database support
>  - - odbc : Add ODBC Support (Open DataBase Connectivity)
>  - - postgres : Add support for the postgresql database
>  - - python   : Add optional support/bindings for the Python 
> language
>  + + python_targets_python2_7 : Build with Python 2.7
>  - - python_targets_python3_5 : Build with Python 3.5
>  + + python_targets_python3_6 : Build with Python 3.6
>  - - static-libs  : Build static versions of dynamic libraries as 
> well
>  - - urandom  : Use /dev/urandom instead of /dev/random
>  + + xml  : Add support for XML files
>  + + zlib : Add support for zlib (de)compression
> 
> which left me puzzled: the libressl flag docstring talks about a ssl
> flag which doesn't exist for this package.
> 
> Try running "ldd /usr/sbin/named".  Is openssl (ie. libssl and
> libcrypto) part of the output?
libcrypto is there along with libgnutls, but no libssl.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com