[RPZ] 9.9.3-rpz2+rl.150.20 fails to launch "due to assertion failure"
darx+dnsrpz at sent.com
darx+dnsrpz at sent.com
Fri May 31 02:54:17 UTC 2013
hi vernon,
On Thu, May 30, 2013, at 06:38 PM, Vernon Schryver wrote:
> Can you share the response-policy{} and rate-limit{} statements from
> the named.conf (or whatever) file?
sure:
acl rpz_sh { 199.168.90.51; 199.168.90.52; 199.168.90.53; };
masters rpz_sh { 199.168.90.51; 199.168.90.52; 199.168.90.53; };
...
response-policy {
zone "rpz-whitelist.local" policy PASSTHRU;
zone "rpz.local";
zone "rpz.spamhaus.org";
zone "drop.rpz.spamhaus.org";
};
zone "rpz-whitelist.local" IN {
type master; file "/namedb/master/rpz.whitelist.local.zone";
allow-query { localhost; };
allow-transfer { none; };
};
zone "rpz.local" IN {
type master; file "/namedb/master/rpz.local.zone";
allow-query { localhost; };
allow-transfer { none; };
};
zone "rpz.spamhaus.org" IN {
type slave; file "/namedb/slave/rpz.spamhaus.org.zone";
masters { rpz_sh; }; allow-notify { rpz_sh; };
allow-query { localhost; };
request-ixfr yes;
notify no;
};
zone "drop.rpz.spamhaus.org" IN {
type slave; file "/namedb/slave/drop.rpz.spamhaus.org.zone";
masters { rpz_sh; }; allow-notify { rpz_sh; };
allow-query { localhost; };
request-ixfr yes;
notify no;
};
> In other words, could the `named` program that tried to start be other
> than the the patched version?
nope.
there's only one named bin on the box -- this one I've built. not even
a distro-installed instance.
> Does `named -V` say something like "9.9.3-rpz2+rl.150.20"?
> What does are the ./configure options disclosed by `named -V`?
named -V
BIND 9.9.3-rpz2+rl.150.20 (Extended Support Version)
<id:d281b394> built with '--prefix=/usr/local'
'--bindir=/usr/local/bin' '--sbindir=/usr/local/sbin'
'--sysconfdir=/usr/local/etc/named' '--localstatedir=/var'
'--libdir=/usr/local/lib64'
'--includedir=/usr/local/include/bind'
'--mandir=/usr/local/share/man'
'--infodir=/usr/local/share/info' '--enable-shared'
'--disable-static' '--enable-chroot' '--enable-ipv6'
'--with-libxml2=yes' '--with-libtool' '--without-idn'
'--enable-threads' '--enable-largefile'
'--with-randomdev=/dev/urandom' '--enable-openssl-version-check'
'--disable-openssl-hash' '--with-openssl=/usr/local/ssl'
'--without-pkcs11' '--with-dlz-postgres=no'
'--with-dlz-mysql=no' '--with-dlz-bdb=/usr/local/dlz-bdb'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=no'
'--with-dlz-odbc=no' '--with-dlz-stub=yes' '--with-dlopen=yes'
'--enable-rpz-nsip' '--enable-rpz-nsdname' '--with-make-clean'
'CC=/usr/bin/gcc-4.8' 'CFLAGS=-O2 -fmessage-length=0
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -march=atom -mtune=atom -fPIC -DPIC
-D_GNU_SOURCE -fno-strict-aliasing -Wall'
'LDFLAGS=-L/usr/local/ssl/lib64 -Wl,-rpath,/usr/local/ssl/lib64
-lssl -lcrypto ' 'CPPFLAGS=-I/usr/local/include
-I/usr/local/ssl/include -I/usr/include'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.9.0
> Is there a stack trace in a named.run file somewhere?
not that I can find ...
> ISC has instructions on how to get and submit core files at
> https://kb.isc.org/article/AA-00340/0/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html
I'll read up, and see if I can get a core dump.
darx
More information about the DNSfirewalls
mailing list