[RPZ] 9.9.3-rpz2+rl.150.20 fails to launch "due to assertion failure"

Vernon Schryver vjs at rhyolite.com
Fri May 31 15:03:38 UTC 2013

> From: darx+dnsrpz at sent.com

> with BIND 9.9.3-rpz2+rl.150.20
> 	build/package

Exactly how was that done?  I'm not asking about all of the lines
of compiler output (although checking for error messages is necessary),
but the shell commands used.

> 	rpm -e --nodeps `rpm -qa | grep -i ^bind-9`
> 	rpm -ivh
> 	/usr/src/packages/RPMS/x86_64/bind-custom-993-1.x86_64.rpm
> 	rpm -qa | grep -i bind9
> 		bind-custom-993-1.x86_64

That is not what I would call an obsessive complusive build.
I think an OCD-build would be:

  wget/fetch/curl/ftp/browser/whatever to fetch
     ftp://ftp.isc.org/isc/bind9/9.9.3/bind-9.9.3.tar.gz and
  expand the 9.9.3 tarball, perhaps into /tmp/foo/bind-9.9.3
     with `mkdir /tmp/foo; cd /tmp/foo; pax -rzf`
     or `cd /tmp/foo; gzcat bind-9.9.3.tar.gz | tar -xf -`
  cd /tmp/foo/bind-9.9.3
  patch -si .../rpz2+rl-9.9.3.patch
  ./configure ...
  mv /usr/local/sbin/named /usr/local/sbin/named.save
  cp /tmp/foo/bind-9.9.3/bin/named/named /usr/local/sbin

No previously fetched tarballs or build directories.  No build
system, package management, RPMs, or other avoidable complications.

> 	/usr/local/sbin/named -t /var/chroot/named -n 4 -S 1024 -u named
> 	-c /etc/named.conf -fd 10
> 		(no output)

-d10 produces lots of noise that should somewhere.  Does your
named.conf send BIND some logging somewhere?

> 		2013-05-31T06:35:39.569490-07:00 core named[13402]:
> 		parser.c:2432: REQUIRE(prev > 0) failed

> 	cat bind-9.9.3/lib/isccfg/parser.c

> 2432        unsigned int refs;

It would be easier to believe that the line number machinery in BIND
is broken and/or the compiler is being too smart and that
/usr/local/sbin/named was built with bind-9.9.3/lib/isccfg/parser.c 
if line 2432 of the 9.9.2-P2 parser.c did not fit so well.  That
makes a build problem likely.

> > What happened with your problem with unpatched 9.9.3 reported in
> > https://lists.isc.org/pipermail/dnsrpz-interest/2013-May/000236.html 
> Not a lot ... yet.  I did find that the 'stuck' CPU occurs without fail
> ONLY if I'm launching 9.9.3 *AND* the systemd unit file is "enabled" for

Please don't be offended, but I see a common thread.  BIND 9.9.3
had pre-releases and reasonably extensive real world testing.  It's
possible that something in your named.conf and zone files is triggering
bugs during launch while things are simple and easy to debug.
It's possible that when I added "drop" and "client-ip" to the
response-policy{} grammar I broke something and only you see the
resulting crash.  However, the smart money would bet on build

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list