Marc Haber wrote: > On Thu, Apr 14, 2016 at 10:43:52AM +0200, Thomas Leuxner wrote: > > * Marc Haber <mh+debian-packa...@zugschlus.de> 2016.04.14 10:07: > > > > > Apr 14 10:05:32 fan named[8795]: ENGINE_by_id failed (crypto failure) > > > Apr 14 10:05:32 fan named[8795]: error:25070067:DSO support > > > routines:DSO_load:could not load the shared library:dso_lib.c:233: > > > Apr 14 10:05:32 fan named[8795]: error:260B6084:engine > > > routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467: > > > Apr 14 10:05:32 fan named[8795]: error:2606A074:engine > > > routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost > > > Apr 14 10:05:32 fan named[8795]: initializing DST: crypto failure > > > Apr 14 10:05:32 fan named[8795]: exiting (due to fatal error) > > > > It tries to load an OpenSSL library which it can't find in a chroot > > configuration. In your setup this may be mitigated by placing the library > > in the chroot: > > > > /var/local/chroot/bind/usr/lib/x86_64-linux-gnu/openssl-1.0.2/engines/libgost.so > > I consider this a bug. All other shared libraries get loaded before > bind chroots itself. Placing a library inside the chroot will cause > update issues since one needs to take manual care to update the > in-chroot copy as well.
This looks similar to #696661. I would guess that named would not try to load the OpenSSL GOST engine at all if BIND is configured and built with --without-gost. Given the very few number of domains that are DNSSEC signed with GOST (compared even to RSA or ECDSA) and the problems that have to be patched around that are caused by OpenSSL engines I wonder if the Debian bind9 package should be built with --without-gost. -- Robert Edmonds edmo...@debian.org
