Package: bind9 Version: 1:9.7.2.dfsg.P3-1.1 Severity: normal I'm not sure whether this is a bug or my own configuration error.
In interactive shells, I set $OPENSSL_CONF to point to the configuration
file for my local CA. BIND should not use this, and indeed does not have
permission to access it. However some part of OpenSSL initialisation
(used for DNSSEC now?) honours it and fails due to the permission error.
This is not logged anywhere; I had to use strace to work out where it
failed.
System log messages:
Feb 10 11:58:30 shadbolt named[24623]: starting BIND 9.7.2-P3 -u bind
Feb 10 11:58:30 shadbolt named[24623]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
Feb 10 11:58:30 shadbolt named[24623]: adjusted limit on open files from 1024
to 1048576
Feb 10 11:58:30 shadbolt named[24623]: found 1 CPU, using 1 worker thread
Feb 10 11:58:30 shadbolt named[24623]: using up to 4096 sockets
strace output:
[...]
24623 open("/home/ben/decadent-ca/openssl.cnf", O_RDONLY|O_LARGEFILE) = -1
EACCES (Permission denied)
24623 brk(0xb82e1000) = 0xb82e1000
24623 write(2, "Auto configuration failed\n", 26) = 26
24623 write(2, "3067479776:error:0200100D:system"..., 128) = 128
24623 write(2, "3067479776:error:2006D002:BIO ro"..., 79) = 79
24623 write(2, "3067479776:error:0E078002:config"..., 90) = 90
24623 exit_group(1) = ?
Ben.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (990, 'stable'), (500, 'squeeze-updates'), (100, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages bind9 depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii bind9utils 1:9.7.2.dfsg.P3-1.1 Utilities for BIND
ii debconf [debconf-2.0 1.5.36.1 Debian configuration management sy
ii libbind9-60 1:9.7.2.dfsg.P3-1.1 BIND9 Shared Library used by BIND
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libdns69 1:9.7.2.dfsg.P3-1.1 DNS Shared Library used by BIND
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libisc62 1:9.7.2.dfsg.P3-1.1 ISC Shared Library used by BIND
ii libisccc60 1:9.7.2.dfsg.P3-1.1 Command Channel Library used by BI
ii libisccfg62 1:9.7.2.dfsg.P3-1.1 Config File Handling Library used
ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries
ii liblwres60 1:9.7.2.dfsg.P3-1.1 Lightweight Resolver Library used
ii libssl0.9.8 0.9.8o-4 SSL shared libraries
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii net-tools 1.60-23 The NET-3 networking toolkit
ii netbase 4.45 Basic TCP/IP networking system
bind9 recommends no packages.
Versions of packages bind9 suggests:
ii bind9-doc 1:9.7.2.dfsg.P3-1.1 Documentation for BIND
ii dnsutils 1:9.7.2.dfsg.P3-1.1 Clients provided with BIND
pn resolvconf <none> (no description available)
pn ufw <none> (no description available)
-- Configuration Files:
/etc/bind/named.conf changed [not included]
-- debconf information excluded
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
