patches to make bind9 with TKEY/GSS updates easier to configure

tridge at samba.org tridge at samba.org
Fri Dec 3 00:48:21 UTC 2010


Hi Michael,

Thanks for access to your NetBSD box. I found a bug in
lib/dns/openssl_link.c in entropy_get() and entropy_getpseudo(). They
should be returning 1 on success, not num (see the RAND_bytes(3) man
page). It looks like this bug has been found before:

  http://comments.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5601

I've put a patch for this in my patch set:

  http://samba.org/tridge/bind9-patches/0009-openssl-RAND_bytes-should-return-1-on-success-not-nu.patch

with the change, the tsiggss test passes for me on your box.

If it still fails for you, can you tell me what options you are
passing to configure? I am using:

  ./configure --with-gssapi=/usr --prefix=$HOME/prefix --with-openssl=/usr --with-randomdev=/dev/urandom

and I am testing tsiggss like this:

 (cd bin/tests/system/ && sh run.sh tsiggss)

the source tree I am using is in /home/tridge/bind9 on your machine,
and is a clone of:

  git://git.samba.org/tridge/bind9

this is just the 9.7.2-P1 tarball, plus the patches from
http://samba.org/tridge/bind9-patches/

Cheers, Tridge


 > On my NetBSD machine:
 > 
 > S:tsiggss:Thu Dec  2 18:00:39 UTC 2010
 > T:tsiggss:1:A
 > A:System test tsiggss
 > I:testing updates as administrator
 > I:testing update for testdc1.example.nil. A 86400 A 10.53.0.10
 > Check your Kerberos ticket, it may have expired.




More information about the bind-workers mailing list