Bind 9.8 chroot and gsstsig - what additional libraries do I need?
Juergen Dietl
isclists01 at googlemail.com
Mon May 23 13:54:13 UTC 2011
Hello Tony,
I am pretty sure (but not 100 %) that I also had the troubles with version
9.7.2. P3.
The only thing I know 100 % is that I did the test with the same version.
So:
Bind without GSS-TSIG (no key given in the named.conf) works in CHROOT
Bind with GSS-TSIG (keytab given in the named.conf) do not work
One of the first things that was missed was dev/urandom for example.
Is there any one out that use a GSS-TSIG Bind WITH CHROOT-Enviroment?
thanx so far,
cheers,
Juergen
2011/5/23 Tony Finch <dot at dotat.at>
> Juergen Dietl <isclists01 at googlemail.com> wrote:
> >
> > I run bind 9.8 with GSS-TSIG in serveral domains with update-policy list
> > for secure updatesand all is working fine. Before my bind was in a
> > CHROOT enviroment. But with using GSS-TSIG it seems to need a lot more
> > libraries.
>
> Did it stop working when you upgraded to BIND 9.8.0 or when you added
> GSS-TGIS support? If you changed them both at the same time then the
> problem might not be anything to do with GSS-TSIG. (If it is GSS_TSIG
> then I don't know the solution.)
>
> BIND 9.8.0 supports the GOST cipher, and OpenSSL implements GOST as a
> loadable module. Try copying /usr/lib/engines/libgost.so into your chroot.
>
> Alternatively you can rebuild BIND without GOST support. After running its
> configure script, run
> perl -ni -e "print unless /HAVE_OPENSSL_GOST/" config.h
> before running make.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
> Rockall and Malin, veering west or northwest 4 or 5, then backing southwest
> 5
> or 6 later. Rough or very rough. Occasional rain. Moderate or good,
> occasionally poor.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110523/1643d172/attachment-0001.html>
More information about the bind-users
mailing list