[Opendnssec-user] Questions regarding OpenBSD port
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Aug 28 14:42:36 UTC 2014
Hi,
On 08/25/2014 12:27 AM, Patrik Lundin wrote:
> Hello Matthijs,
>
> Thank you for looking at this, see my comments inline.
>
> On Sun, Aug 24, 2014 at 05:33:13PM +0200, Matthijs Mekking wrote:
>>
>> My first guess would be that there are old signer configuration files
>> and other files in `/var/opendnssec/signconf/` and
>> `/var/opendnssec/tmp/` that cause this.
>>
>
> This is a fresh install. The tmp/ directory remains empty and signconf/
> contains an example.com.xml file after running "ods-control enforcer notify":
> [CUT]
> # ods-control enforcer notify
> Notifying enforcer of new database...
>
> # ls -la /var/opendnssec/signconf/
> total 12
> drwxr-xr-x 2 _opendnssec _opendnssec 512 Aug 25 00:01 .
> drwxr-xr-x 8 root wheel 512 Aug 24 23:59 ..
> -rw-r--r-- 1 _opendnssec _opendnssec 962 Aug 25 00:01 example.com.xml
> [CUT]
> Interesting. I have not modified the kasp.xml from what the build produced.
Forget my remark about NSEC. denial_nsecify() also is responsible for
the NSEC3 case.
I tried to reproduce, but your steps give me an okay result and a signed
zone. I used SoftHSM 1.3.6 and OpenDNSSEC 1.4.6.
One other thing that I noticed, the segfault is at a strange line,
showing only a '{':
#0 0x19242700 in denial_nsecify (denial=0x7a46f8a0, nxt=0x7a46f760,
num_added=0x8042b134) at signer/denial.c:301
301 {
Which I have no idea why and how.
> This is how the file looks:
> [CUT]
>> Also, if you can provide a debug log from the signer, this can help
>> showing the code path taken.
>>
>
> This is very interesting. While running ods-signerd over and over again adding
> -v flags, I noticed it would randomly not segfault, and when it managed to keep
> running a file would turn up in the signed/ directory (with NSEC3 records):
> ===
> # grep NSEC /var/opendnssec/signed/example.com
> example.com. 0 IN NSEC3PARAM 1 0 5 72865fb39b97d514
> example.com. 0 IN RRSIG NSEC3PARAM 8 2 0 20140908081316 20140824210920 11659 example.com. HEs5ldTPAThYPsVonxho5TFYp+Tu61CFG2uTMQ7D1C4tPRB8sfrGr5R+oLINhVO24rJbV6iaykQYw8IcgvzglwaNUbI2Rhh/V3mIoiPGRS3PFry1viQ7V9KlUMPFm40gOPTQi7BjyS0m5/m/dVWnNyojy97TLFXci5Q0i/4ZhUc=
> skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 3jjn7mlkrh9eu4cif619n31a50eti7ln NS SOA RRSIG DNSKEY NSEC3PARAM
> skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140907145533 20140824210920 11659 example.com. y/HeQufcpu6ZLpw/EqWPV/rvtGWBYq21/zTd/MOpptC0BI4aGo1KcVygJnnR7mV3KpdW/O4u5BMKcSD5IvAm1k6QdITgzBpYY3tn7M8/T6CmeV3oGej7kuWmzoBld4d0jV3GvgGA9F26uSoVipjzYhzVQRxGehqxrMlPaWUaW4o=
> ke8gpauinacisej48v3kb64ob7cqougp.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 skl184nds0ko65j4hnsm8jdh6b4qpumd A RRSIG
> ke8gpauinacisej48v3kb64ob7cqougp.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140907150732 20140824210920 11659 example.com. xrEYk5T5qdR/alz8yJe8/3rmgFDGXQQL6bzvPph4mwt2Gs1ZqNVce3Q+U9wNXrIt3KAV9EF50x/mdLa1CsMc9N9Oek5mfvGrJEs+ovR5Fp5AB4jl0XQFN2HY9F56JgYQPbkb96s2v/EjBXyMyTYTBDOEPpjDBSFrha6cYYNi1Dc=
> 3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 ke8gpauinacisej48v3kb64ob7cqougp A RRSIG
> 3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140908052134 20140824210920 11659 example.com. rmWESKFpYUBu+ItQ4ALQVPB+DJyx2+layDtr8P+VvZw53Ch+sozSTEyx/aD9cgQBcDbwQahhL+t8mXa0Xb0bYfwrSPEZSGh8ZE2l94bgaKy0TugRsKjmeWD3RoPkSqCdal9InlO315s0D2lFIgYPXHYq7ZRuQWWEN6hixsv2TnE=
> ===
That looks good...
> This is the output from two consecutive runs where the prior failed and the
> latter managed to run (after I had been spamming up-arrow and enter for a
> while):
> ===
> # /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv
> OpenDNSSEC signer engine version 1.4.6
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] open file file=/etc/opendnssec/conf.xml mode=reading
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] openfile /etc/opendnssec/conf.xml count 1
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
> [Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 29430 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
> Segmentation fault
> # /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv
> OpenDNSSEC signer engine version 1.4.6
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] open file file=/etc/opendnssec/conf.xml mode=reading
> [Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] openfile /etc/opendnssec/conf.xml count 1
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
> [Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 23565 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
> [Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
Both logs look the same. I also wonder if these are the complete logs,
it doesn't look like it.
Best regards,
Matthijs
> ===
>
> Regards,
> Patrik Lundin
>
More information about the Opendnssec-user
mailing list