[RPZ] 9.9.3-rpz2+rl.150.20 fails to launch "due to assertion failure"

Vernon Schryver vjs at rhyolite.com
Fri May 31 03:48:37 UTC 2013

> From: darx+dnsrpz at sent.com

> there's only one named bin on the box -- this one I've built.  not even
> a distro-installed instance.

What happened to the previous version?  In other words, have you checked
with `find / -name named` just to be absolutely certain?

I've assumed that the crash is consistent.  Is that true?

That named.conf file, with the response-policy{} statement wrapped
in options{}; does not crash for me.

> named -V
> 	BIND 9.9.3-rpz2+rl.150.20 (Extended Support Version)
> 	<id:d281b394> built with '--prefix=/usr/local'
> ...

I've not figured out all of those many ./configure settings, but their
number is worrisome.  I learned decades ago to change the absolute
minimum number of knobs and buttons and to try very hard to use the
defaults in any package.  You can hope that the defaults have been
smoke tested and are in use elsewhere.  The farther you get from the
defaults, the more likely that you are doing something unique and will
encounter unique problems.

> > Is there a stack trace in a named.run file somewhere?
> not that I can find ...

Is the named.run file missing or does it not contain a stack trace?
As the ARM says:
    channel default_debug {
	// write to named.run in the working directory
	// Note: stderr is used instead of "named.run" if
	// the server is started with the '-f' option.
	file "named.run";
    The default_debug channel has the special property that it only
    produces output when the server's debug level is nonzero. It
    normally writes to a file called named.run in the server's
    working directory.

> > https://kb.isc.org/article/AA-00340/0/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html
> I'll read up, and see if I can get a core dump.

The first thing the ISC people will ask is whether the crash happens
without the patch.  Because the named.conf fragment does not use any
RPZ features that are not in the unpatched 9.9.3 and does not mention
RRL, it looks as if that should not be a problem.

The RPZ tests are another thing to try:

   cd .../bin/tests/system
   su -c "sh ifconfig.sh up"
   sh run.sh rpz

There are also RRL tests that can be run by `sh run.sh rrl` after
the interfaces are set up with ifconfig.sh


] From: darx+dnsrpz at sent.com

] i have been unable to get a core dump out of this thing. :-/
] or, it's hiding ...

I trust the stuff mentioned in the ISC KB article to enable core
dumps were tried.
There are also the permissions and ownership of the -t /var/chroot/named

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list