dnssec-signzone hangs with ECDSAP256SHA256
Summary
Signing a zone with ECDSAP256SHA256 hangs, RSASHA256 works. On another server both work! ?
BIND version used
BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.14 (Extended Support Version) id:7107deb running on Linux x86_64 3.10.0-1160.95.1.el7.x86_64 #1 SMP Mon Jul 24 13:59:37 UTC 2023 built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-geoip' '--with-libidn' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-atf=yes' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44) compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017 linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 compiled with libxml2 version: 2.9.1 linked to libxml2 version: 20901 compiled with zlib version: 1.2.7 linked to zlib version: 1.2.7 threads support is enabled
Steps to reproduce
- creating the KSK/ZSK /usr/sbin/dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 example.com /usr/sbin/dnssec-keygen -a ECDSAP256SHA256 -r /dev/urandom -f KSK -I 20241030 example.com
- add the keys to zone-file "example.com" strace -o output_ecdsa.txt /usr/sbin/dnssec-signzone -P -v 13 -N unixtime -k Kexample.com.+013+01592 -o example.com example.com Kexample.com.+013+43106
What is the current bug behavior?
dnssec-signzone: using 2 cpus dnssec-signzone: debug 1: delete_node(): 0x7f66c7da30f0 example.com (bucket 5) dnssec-signzone: debug 1: calling free_rbtdb(.) dnssec-signzone: debug 1: done free_rbtdb(.) dnssec-signzone: no existing signatures for example.com/NSEC dnssec-signzone: example.com/NSEC: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/43106
now it hangs.
What is the expected correct behavior?
Output from another server (BIND 9.11.36-RedHat-9.11.36-9.el8)
dnssec-signzone: using 16 cpus dnssec-signzone: debug 1: delete_node(): 0x7f38d38ac010 example.com (bucket 1) dnssec-signzone: debug 1: calling free_rbtdb(.) dnssec-signzone: debug 1: done free_rbtdb(.) dnssec-signzone: no existing signatures for example.com/NSEC dnssec-signzone: example.com/NSEC: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for example.com/DNSKEY dnssec-signzone: example.com/DNSKEY: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/11043 dnssec-signzone: no existing signatures for example.com/TXT dnssec-signzone: example.com/TXT: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for example.com/SOA dnssec-signzone: example.com/SOA: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for example.com/NS dnssec-signzone: example.com/NS: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for example.com/MX dnssec-signzone: example.com/MX: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for example.com/A dnssec-signzone: example.com/A: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for mail.example.com/NSEC dnssec-signzone: mail.example.com/NSEC: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for www.example.com/NSEC dnssec-signzone: www.example.com/NSEC: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for mail.example.com/CNAME dnssec-signzone: mail.example.com/CNAME: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 dnssec-signzone: no existing signatures for www.example.com/CNAME dnssec-signzone: www.example.com/CNAME: dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/2514 example.com.signed dnssec-signzone: debug 1: calling free_rbtdb(example.com) dnssec-signzone: debug 1: done free_rbtdb(example.com)
- or on the server causing the problem, signing with RSASHA256
Relevant configuration files
Relevant logs and/or screenshots
-last lines of strace-output: open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=10923, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "#\n# OpenSSL example configuratio"..., 4096) = 4096 read(4, "ancient versions of Netscape cra"..., 4096) = 4096 read(4, "gainst PKIX guidelines but some "..., 4096) = 2731 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 futex(0x7ff9099b4264, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 4 read(4, "0\n", 8192) = 2 close(4) = 0 write(2, "dnssec-signzone: ", 17) = 17 write(2, "using 2 cpus\n", 13) = 13 access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (Bestand of map bestaat niet) futex(0x7ff909deb950, FUTEX_WAKE_PRIVATE, 2147483647) = 0 access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (Bestand of map bestaat niet) futex(0x7ff9099b4330, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7ff9099b41cc, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("example.com", O_RDONLY) = 4 mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff909f9a000 fstat(4, {st_mode=S_IFREG|0644, st_size=547, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "$TTL 3600\n@\t\tIN\tSOA\tns1.named.be"..., 4096) = 547 access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (Bestand of map bestaat niet) brk(NULL) = 0xd82000 brk(0xda7000) = 0xda7000 open("Kexample.com.+013+01592.key", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=396, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00b000 read(5, "; This is a key-signing key, key"..., 4096) = 396 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7ff90a00b000, 4096) = 0 open("Kexample.com.+013+43106.key", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=344, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00b000 read(5, "; This is a zone-signing key, ke"..., 4096) = 344 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7ff90a00b000, 4096) = 0 read(4, "", 4096) = 0 brk(NULL) = 0xda7000 brk(NULL) = 0xda7000 brk(0xda2000) = 0xda2000 brk(NULL) = 0xda2000 munmap(0x7ff909f9a000, 135168) = 0 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 open("./Kexample.com.+013+43106.key", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=344, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "; This is a zone-signing key, ke"..., 4096) = 344 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 open("./Kexample.com.+013+43106.private", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=187, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "Private-key-format: v1.3\nAlgorit"..., 4096) = 187 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 open("./Kexample.com.+013+01592.key", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=396, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "; This is a key-signing key, key"..., 4096) = 396 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 open("./Kexample.com.+013+01592.private", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=212, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(4, "Private-key-format: v1.3\nAlgorit"..., 4096) = 212 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 futex(0x7ff909debc20, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("tmp-AMS4f8eFN4", O_RDWR|O_CREAT|O_EXCL, 0666) = 4 fcntl(4, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 write(4, "example.com.\t\tIN DS 1592 13 1 E"..., 169) = 169 fstat(4, {st_mode=S_IFREG|0644, st_size=169, ...}) = 0 fsync(4) = 0 close(4) = 0 munmap(0x7ff90a00c000, 4096) = 0 rename("tmp-AMS4f8eFN4", "dsset-example.com.") = 0 write(2, "dnssec-signzone: debug 1: delete"..., 80) = 80 write(2, "dnssec-signzone: debug 1: callin"..., 48) = 48 write(2, "dnssec-signzone: debug 1: done f"..., 45) = 45 open("tmp-R1zCGr5u5F", O_RDWR|O_CREAT|O_EXCL, 0666) = 4 fcntl(4, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0 fstat(5, {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 read(5, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n\0\0\0\n\0\0\0\0"..., 4096) = 2944 lseek(5, -1877, SEEK_CUR) = 1067 read(5, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\0\0\f\0\0\0\0"..., 4096) = 1877 close(5) = 0 munmap(0x7ff90a00c000, 4096) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff90a00c000 mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff905de0000 mprotect(0x7ff905de0000, 4096, PROT_NONE) = 0 clone(child_stack=0x7ff9065dfeb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7ff9065e09d0, tls=0x7ff9065e0700, child_tidptr=0x7ff9065e09d0) = 2979 open("/proc/self/task/2979/comm", O_RDWR) = 5 write(5, "isc-worker0000", 14) = 14 close(5) = 0 mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff9055df000 mprotect(0x7ff9055df000, 4096, PROT_NONE) = 0 clone(child_stack=0x7ff905ddeeb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7ff905ddf9d0, tls=0x7ff905ddf700, child_tidptr=0x7ff905ddf9d0) = 2980 open("/proc/self/task/2980/comm", O_RDWR) = 5 write(5, "isc-worker0001", 14) = 14 close(5) = 0 write(2, "dnssec-signzone: ", 17) = 17 write(2, "no existing signatures for examp"..., 45) = 45 write(2, "dnssec-signzone: ", 17) = 17 write(2, "example.com/NSEC:\n", 19) = 19 write(2, "dnssec-signzone: ", 17) = 17 write(2, "\tsigning with dnskey examples.co"..., 56) = 56 read(3, 0x7fff04db22e0, 32) = -1 EAGAIN (Hulpbron is tijdelijk onbeschikbaar) select(4, [3], [], NULL, NULL <unfinished ...>) = ? +++ killed by SIGKILL +++
Possible fixes
non yet.