/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
Jack Tavares
j.tavares at F5.com
Thu May 14 07:15:14 UTC 2009
One other thing:
when I remove /dev/random from the chroot, bind just uses the
pre-chroot /dev/random
14-May-2009 14:09:51.065 could not open entropy source /dev/random: file not found
14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random
which is groovy.
So I guess I dont need the chroot random, but I would still like
to know why using the chrooted /dev/random causes this problem.
--
Jack Tavares
AIM: jacktavares
SKYPE: jackandkaddee
Reminder: I am at GMT+2, 10 hours AHEAD of Seattle.
My workweek is Sunday-Thursday.
Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2).
________________________________
From: bind-users-bounces at lists.isc.org [bind-users-bounces at lists.isc.org] On Behalf Of Jack Tavares [j.tavares at F5.com]
Sent: Thursday, May 14, 2009 09:50
To: bind-users at lists.isc.org
Subject: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
So I posted a couple of message about how my nsupdates
were failing intermittenly when attempting to update a signed zone.
The only error I get in the log is:
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer "update.test.net" approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK
14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back
The keys are generated with RSASHA1 and use -r /dev/urandom
I run named in chroot jail, at /var/named
I created /var/named/dev/random with
mknod -m644 /var/named/dev/random c 1 8
which mimics the major and minor number from the system
ls -lL /dev/random
crw-r--r-- 1 root root 1, 8 May 13 03:27 /dev/random
The nsupdates fail, seemingly randomly.
When I delete this /dev/random from the chroot, they work.
So my question is:
am I setting up the /dev/random incorrectly?
should I not be creating /dev/random? (the how-tos I have seen all talk about
re-creating /dev/null and /dev/random etc)
Note:
I also tried generating the keys not using /dev/urandom, and have the same
inconsistent behavior with the chroot /dev/random present.
--
Jack Tavares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090514/fec57046/attachment.html>
More information about the bind-users
mailing list