Can't get BIND to use GSSAPI from /usr/local on FreeBSD

Sam Liddicott sam at liddicott.com
Fri Sep 10 09:29:07 UTC 2010 

  For lack of response here, the heimdal guys are putting in a 
work-around for this bind bug.

Sam

On 25/08/10 17:41, Sam Liddicott wrote:
>  I've also reported this as a bind bug, but I'm posting it here as I 
> think it answers the case for the BSD user in the thread entitled: 
> Can't get BIND to use GSSAPI from /usr/local on FreeBSD
> (Patch attached which fixes it for me)
>
>   I've traced my problem to what looks like a mismatch of expectations
> between heimdal 1.3.3 and bind 9 (BIND 9.7.1-P2)
>
> in lib/dns/openssl_link.c, entropy_get returns the number of bytes if
> successful - always equal to argument num (if successful).
>
> entropy_get is registered as a delegate for openSSL's RAND_bytes in
> dst__openssl_init.
>
> My man page for RAND_bytes states:
> RETURN VALUES
>         RAND_bytes() returns 1 on success, 0 otherwise. The error code 
> can be
>         obtained by ERR_get_error(3). RAND_pseudo_bytes() returns 1 if 
> the
>         bytes generated are cryptographically strong, 0 otherwise. Both
>         functions return -1 if they are not supported by the current RAND
>         method.
> and entropy_get varies from that behaviour.
>
> This causes problems with heimdal 1.3.3, in heimdal's lib/krb5/crypto.c:
> 3995        if (RAND_bytes(buf, len) != 1)
> 3996        krb5_abortx(NULL, "Failed to generate random block");
>
> So "nsupdate -g" fails when linked with heimdal 1.3.3
>
> It looks like bind 9 is at fault even though heimdal could be more 
> accepting.
>
> I don't know if there are other similar errors in other openssl_link.c
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
[FSF Associate Member #2325] 
<http://www.fsf.org/register_form?referrer=2325>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100910/54d33a93/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wrtOa+MS+fAAAAAielRYdFNvZnR3YXJlAAB42isvL9fLzMsuTk4sSNXLL0oHADbYBlgQU8pcAAAAAElFTkSuQmCC
Type: image/png
Size: 2820 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100910/54d33a93/attachment.png>

More information about the bind-users mailing list