Mark Andrews <ma...@isc.org> wrote: > > And the issue almost certainly is not providing a complete enough > change root environment. Gost dynamically loads the crypto engine > after named starts.
I have a lot of sympathy for anyone who encounters this problem because it took me a long time to work out what the solution is. Practically no-one has experience of OpenSSL engines because at best the average sysadmin might know that engines are weird stuff you need for HSMs. A large part of this is OpenSSL's fault, because its error reporting is not good enough. OpenSSL has a lot of internal abstraction layers, but its error codes are just per-module errno-style numbers, which means it is fundamentally incapable of explaining what went wrong. Like in this instance when its errno said, "ENGINE_by_id failed" but because it can't encapsulate the crucial argument in the error code, it can't say, oh by the way, the engine name is GOST. And because the abstraction layer is fundamentally designed to allow you to be unaware of which engine you are using (which engine failed) this ends up making problems hard to debug. BIND is generally a lot better than explaining what it is doing than OpenSSL, but it also has layers, and also has errno-style error codes, so the lack of information propagates. Sadface. Happily BIND has debug logging which lets you report this kind of problem from the depths of its libraries. But it doesn't log in this situation. Sadface. Debian has an interesting patch to BIND which makes it initialize OpenSSL before calling chroot(), which completely solves this problem in a very nice way. This worked well for me until, er, some point in the last few months on the BIND 9.11 HEAD branch. http://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=master&id=60cf6b37caf48bd3270aa2b7b8af5ebc47396dce I am afraid I have not identified why this patch doesn't work any more, because why would anyone in their right mind give a monkeys about elegant solutions to problems caused by obscure crypto algorithms that no-one in their right mind uses. Tony. PS. it seems I am a bit cross about GOST. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Portland, Plymouth: West or northwest 6 to gale 8 decreasing 4 or 5. Moderate or rough. Mainly fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
