-E pkcs11 default documented but not implemented, crashing dnssec.
A documented command line default is unimplemented, generating failures/crashes in dnssec related activity.
man named includes "... -E engine-name ...When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11". However, the default is Null (0x0) leading to, for example:
Mar 08 20:26:07 registry1.1.quietfountain.com named[1388]: dns_dnssec_findmatchingkeys: error reading key file K11.quietfountain.com.+008+37760.private: no engine
In bind compiled as:
Mar 09 10:56:32 registry1.1.quietfountain.com named[59594]: starting BIND 9.11.28-RedHat-9.11.28-1.fc33 (Extended Support Version) <id:60f9417>
Mar 09 10:56:32 registry1.1.quietfountain.com named[59594]: running on Linux x86_64 5.10.19-200.fc33.x86_64 #1 SMP Fri Feb 26 16:21:30 UTC 2021
Mar 09 10:56:32 registry1.1.quietfountain.com named[59594]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-ns-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'CPPFLAGS= -DDIG_SIGCHASE' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
in gdb we have:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff5d48640 (LWP 59595)]
[New Thread 0x7ffff5547640 (LWP 59596)]
[New Thread 0x7ffff4d46640 (LWP 59597)]
[New Thread 0x7ffff4545640 (LWP 59598)]
[New Thread 0x7ffff3d44640 (LWP 59599)]
[New Thread 0x7ffff3519640 (LWP 59600)]
Thread 1 "named" hit Breakpoint 5, dst__openssl_init (engine=0x0) at ../../../lib/dns/openssl_link.c:196
196 dst__openssl_init(const char *engine) {
(gdb) bt
#0 dst__openssl_init (engine=0x0) at ../../../lib/dns/openssl_link.c:196
#1 0x00007ffff7f00de7 in dst_lib_init2 (mctx=<optimized out>, ectx=0x7ffff5d52010, engine=0x0, eflags=eflags@entry=1) at ../../../lib/dns/dst_api.c:198
#2 0x00005555555c1c56 in ns_server_create (mctx=0x55555562e730, serverp=0x555555627e60 <ns_g_server>) at ../../../bin/named/server.c:9157
#3 0x0000555555579332 in setup () at ../../../bin/named/main.c:1337
#4 main (argc=<optimized out>, argv=0x7fffffffe2c8) at ../../../bin/named/main.c:1556
(gdb) n
209 CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
(gdb) n
250 OPENSSL_load_builtin_modules();
(gdb) n
251 ENGINE_load_builtin_engines();
(gdb) n
252 ERR_clear_error();
(gdb) n
253 CONF_modules_load_file(NULL, NULL,
(gdb) n
258 if (engine != NULL && *engine == '\0')
(gdb) p engine
$32 = 0x0
(gdb) info args
engine = 0x0
A 'workaround' is, in /etc/sysconfig/named, to include
OPTIONS="-E pkcs11"
But it would be better if either the docs changed, the error message was more helpful, or the code changed to implement the documented default.
Other detail at: https://bugzilla.redhat.com/show_bug.cgi?id=1937207