FS#57535 - [bind] 'openssl_link.c:296: fatal error' - bind9 not starting

Attached to Project: Arch Linux
Opened by Andrzej (sunblade) - Friday, 16 February 2018, 17:49 GMT
Last edited by Sébastien Luttringer (seblu) - Wednesday, 16 May 2018, 23:27 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Today after upgrade system i decided to reboot machine due new kernel version. After boot bind9 was not running.
I have restarted named service using systemd, and named started without any error.
After that i rebooted machine again, and named failed to start, and started working after service restart.

Additional info:
- kernel: 4.15.3-1-ARCH #1 SMP PREEMPT Mon Feb 12 23:01:17 UTC 2018 x86_64 GNU/Linux
- openssl: 1.1.0.g-1
- bind9: 9.12.0-1

Logs:

Feb 16 18:41:41 dns named[1557]: starting BIND 9.12.0 <id:71a4086>
Feb 16 18:41:41 dns named[1557]: running on Linux x86_64 4.15.3-1-ARCH #1 SMP PREEMPT Mon Feb ...
Feb 16 18:41:41 dns named[1557]: openssl_link.c:296: fatal error:
Feb 16 18:41:41 dns named[1557]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Feb 16 18:41:41 dns named[1557]: exiting (due to fatal error in library)
Feb 16 18:41:41 dns systemd[1]: Started Process Core Dump (PID 1562/UID 0).
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Wednesday, 16 May 2018, 23:27 GMT
Reason for closing:  No response
Comment by loqs (loqs) - Friday, 16 February 2018, 20:48 GMT
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a does using the runtime or buildtime option from the commit message prevent the issue?
Comment by Sébastien Luttringer (seblu) - Saturday, 17 February 2018, 21:33 GMT
No issue on my servers.

# pacman -Q openssl bind ; uname -a
openssl 1.1.0.g-1
bind 9.12.0-1
Linux horus.seblu.net 4.15.0-seblu #1 SMP PREEMPT Mon Jan 29 22:49:55 CET 2018 x86_64 GNU/Linux
Comment by loqs (loqs) - Saturday, 17 February 2018, 21:48 GMT
@seblu could be due to available entropy at or shortly after boot preventing the PRNG from being properly seeded.
Might also be worth checking with upstream that the PRNG failure causing a fatal error is expected.
Comment by Sébastien Luttringer (seblu) - Saturday, 17 February 2018, 22:25 GMT
Reading the commit you pointed earlier, the change was made to prevent lack of entropy, so looks unfortunate that make things worst.
«By default, BIND now uses the random number functions provided by the crypto library ... This is suitable for virtual machine environments which have limited entropy pools and lack hardware random number generators.»

This should be reported upstream.
Comment by Andrzej (sunblade) - Thursday, 01 March 2018, 12:57 GMT
System is running on VMware ESX 6.5
On previous ver. of bind there was no issue. Seblu, are you able to point me how to resolve this issue?
I have tried running Rng-tools - the same issue.

Thank you
Comment by loqs (loqs) - Thursday, 01 March 2018, 13:37 GMT
Did you try the runtime or buildtime options mentioned in the commit message I linked to?
If that prevents the issue then report that commit upstream.

Loading...