Summary: | net-dns/bind-9.12.2_p2-r1 - named: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Thomas Stein <himbeere> |
Component: | Current packages | Assignee: | Mikle Kolyada (RETIRED) <zlogene> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, chutzpah, idl0r, luke, m_gentoobug, nikize, sam, tb |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Thomas Stein
2018-12-26 10:52:17 UTC
I'm having this issue on three servers. I had to roll back to get the service back. I did not have the urandom node in my chroot. I added that it started. (In reply to lou from comment #2) > I did not have the urandom node in my chroot. I added that it started. lou, your comment leads me to a "more proper" solution: - install net-dns/bind[urandom] - re-run emerge --config '=net-dns/bind-<your_bin_version>' and /dev/urandom will be created in the chroot dir. I experienced the same following an upgrade. It seems bind has changed the default behaviour for the random number generator. Earlier packages used /dev/random as the source, with an optional use flag of urandom to use /dev/urandom instead. Since Bind's change to use OpenSSL's pseudorandom number generator, it now requires /dev/urandom regardless of use flag. It looks like the ebuild needs updating to cater for the upstream change. Confirming net-dns/bind[urandom] with CHROOT configured does resolve this issue. Removing CHROOT also permits bind to start. I agree that the ebuild should be reviewed to accommodate upstreams change without further user intervention. This oversight can negativity impact someones critical dns deployment. This is still a problem with net-dns/bind-9.15.2: emerge -vDNu net-dns/bind emerge --config '=net-dns/bind-9.15.2' The install and config complete without reported error. However, there is no "/chroot/dns/dev/urandom" created. Note that is required for named ("net-dns/bind-9.15.2") to start. The workaround is to run: cd /chroot/dns/dev mknod urandom c 1 9 "named" then starts fine. FYI: The system log start errors reported when trying to start without "/chroot/dns/dev/urandom" are: named[3181]: openssl_link.c:164: fatal error: named[3181]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) named[3181]: exiting (due to fatal error in library) /etc/init.d/named[3179]: start-stop-daemon: failed to start `/usr/sbin/named' Thanks in advance for a future fix. Regards, Martin Had the same problem with 9.14.4. Just-Installed versions: 9.14.4^t(04:06:11 09/24/19)(caps ipv6 readline -doc -gssapi -idn -libedit -libressl -xml) I had the same problem: /var/log/messages had: Sep 25 21:20:46 janus named[3315]: openssl_link.c:166: fatal error: Sep 25 21:20:46 janus named[3315]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Sep 25 21:20:46 janus named[3315]: exiting (due to fatal error in library) Sep 25 21:20:46 janus /etc/init.d/named[3313]: start-stop-daemon: failed to start `/usr/sbin/named' Sep 25 21:20:46 janus /etc/init.d/named[3284]: ERROR: named failed to start The work-around described in Martin's update on this bug at 2019-09-02 18:14:55 UTC fixed the problem. This is very much still an existing issue. No explanation on to why or how this was marked as resolved. During my installation I found the urandom still needs to be copied over. https://github.com/ASoft-se/Gentoo-HAI/pull/55/files (In reply to Christian Nilsson from comment #8) > This is very much still an existing issue. > No explanation on to why or how this was marked as resolved. > > During my installation I found the urandom still needs to be copied over. > https://github.com/ASoft-se/Gentoo-HAI/pull/55/files It was closed, supposedly, because it was fixed back then. It has been accidentally re-introduced but should be fixed again by: https://github.com/gentoo/gentoo/commit/6e8faaad077caf9048e2c5a132ddade0b0b316aa#diff-48e2e169b4ac644113233aa81b09fe764cc3afc52bcd95fb75830fcc150efa1d Can you confirm emerge --config net-dns/bind and/or restarting bind with the chroot option being set fixed it for you and created, if necessary, the /dev/urandom device? Yes, my mistake, main reason was due to this being marked as resolved/obsolete without any explanation. BUG #793860 also exists, and has a working fix. Thanks, and sorry for misunderstanding. lets finally mark it resolved then. |