named in BIND 9.9.3-P1 needs libpkcs11.so ?

Dennis Clarke dclarke at blastwave.org
Thu Jun 27 03:59:29 UTC 2013 

# /opt/adbs/sbin/named -u named -c /etc/opt/adbs/named/named.conf -4 -d 2 -f -g -n 1 
27-Jun-2013 03:43:27.243 starting BIND 9.9.3-P1 -u named -c /etc/opt/adbs/named/named.conf -4 -d 2 -f -g -n 1
27-Jun-2013 03:43:27.246 built with '--build=sparc-sun-solaris2.10' '--host=sparc-sun-solaris2.10' '--prefix=/opt/adbs' '--enable-threads=yes' '--disable-openssl-version-check' '--enable-ipv6' '--with-randomdev=/dev/urandom' 

... huge bucket of option here ...
.
.
.
27-Jun-2013 03:43:27.248 ----------------------------------------------------
27-Jun-2013 03:43:27.250 BIND 9 is maintained by Internet Systems Consortium,
27-Jun-2013 03:43:27.251 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
27-Jun-2013 03:43:27.253 corporation.  Support and training for BIND 9 are 
27-Jun-2013 03:43:27.255 available at https://www.isc.org/support
27-Jun-2013 03:43:27.257 ----------------------------------------------------
27-Jun-2013 03:43:27.259 found 1 CPU, using 1 worker thread
27-Jun-2013 03:43:27.260 using 1 UDP listener per interface
27-Jun-2013 03:43:27.268 using up to 4096 sockets
27-Jun-2013 03:43:27.271 Registering DLZ_dlopen driver
27-Jun-2013 03:43:27.274 Registering SDLZ driver 'dlopen'
27-Jun-2013 03:43:27.276 Registering DLZ driver 'dlopen'
27-Jun-2013 03:43:27.296 decrement_reference: delete from rbt: 1005a9b08 .
27-Jun-2013 03:43:27.341 initializing DST: no engine
27-Jun-2013 03:43:27.343 exiting (due to fatal error)
# 

initializing DST: no engine ? 

That seems somewhat of a mystery to me and so I used truss to see this : 

12636/1:         0.7352 stat("/opt/adbs/ssl/lib/engines/libpkcs11.so", 0xFFFFFFFF7FFFE850) Err#2 ENOENT

Well I have no idea how to generate libpkcs11.so in my openssl engines area. 

Is this really needed ? 

This build of OpenSSL 1.0.1e was fully tested and passed all tests so I am thinking
that an option to the build of bind is the issue here.   Probably "--with-pkcs11" .

If I don't have that option am I totally shafted for DNSSEC ? 

am I maing sense here ? 

Dennis

More information about the bind-users mailing list