/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone

Jack Tavares j.tavares at F5.com
Thu May 14 06:50:35 UTC 2009


So I posted a couple of message about how my nsupdates
were failing intermittenly when attempting to update a signed zone.

The only error I get in the log is:
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer "update.test.net" approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back
The keys are generated with RSASHA1 and use -r /dev/urandom

I run named in chroot jail, at /var/named
I created /var/named/dev/random with

mknod -m644 /var/named/dev/random c 1 8

which mimics the major and minor number from the system
ls -lL /dev/random

crw-r--r--    1 root     root       1,   8 May 13 03:27 /dev/random
The nsupdates fail, seemingly randomly.

When I delete this /dev/random from the chroot, they work.

So my question is:
am I setting up the /dev/random incorrectly?
should I not be creating /dev/random? (the how-tos I have seen all talk about
re-creating /dev/null and /dev/random etc)

Note:
I also tried generating the keys not using /dev/urandom, and have the same
inconsistent behavior with the chroot /dev/random present.



--
Jack Tavares



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090513/e26c4b55/attachment.html>


More information about the bind-users mailing list