Signing thread died during AXFR of signed domain #415

Closed
Habbie opened this Issue Apr 26, 2013 · 5 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

Hi, I have one Master DNS, and two Slaves which serves clients. Master do signing, slaves AXFR presigned domains.

Sometimes, when slave initiated AXFR (or I make AXFR via dig utility), CPU of master pdns go to 100% usage (sometimes 200-300% depending on number of AXFR requests) and monitor mode console get this error:

Signing thread died because of std::exception: Botan: Internal error: Self test failed: RSA private operation check failed

but after one (or more) restart, slaves got domain successfully.

Signed domains are small - AXFR contains only about 24 records including DNSSEC related.

I do some tests. I try dig AXFR for "domain1" repeatedly - without error. Then dig AXFR "domain2" - CPU goes to 100% usage and on monitor console is "signing thread died.....". When i do AXFR of "domain2" once more i got it without error, but CPU is still 100%. I must restart pdns process. After restart, AXFR are sometimes OK, sometimes not. I cannot find any clue, why this error randomly appears.

Problem is when CPU usage is about 260-300%, it doesn't server any AXFR including non-signed domains. I have 4 core CPU and distributor-threads=3

System: FreeBSD 8.2-RELEASE-p2, PostgreSQL backend, Powerdns_3.0_1 from ports.

@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Author: ahu
Can you share the domain2 zone with us in unsigned form? You can send it privately to powerdns.support@netherlabs.nl

Thanks!

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Replying to [comment:1 ahu]:

Can you share the domain2 zone with us in unsigned form? You can send it privately to powerdns.support@netherlabs.nl

Thanks!
No problem, I will send it. But this error appears on every signed domain i serve (randomly).

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
one more info, all zones have this configuration

Zone has hashed NSEC3 semantics, configuration: 1 1 1 ab
Zone is not presigned
keys:
ID = x (KSK), tag = xxx, algo = 8, bits = 2048 Active: 1
ID = x (ZSK), tag = xxx, algo = 8, bits = 1024 Active: 1
ID = x (ZSK), tag = xxx, algo = 8, bits = 1024 Active: 0

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
the fix for this is to upgrade botan-1.8.xx to botan 1.10.1

you have to patch the port botan 1.8.xx with this http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2011-September/218784.htm

and change botan section of the Makefile in the powerdns port as well.

// Patrik Bt aka failure (pb at osix dot eu)

ps. please test this more tho, before closing this ticket. but it works for now...

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Problem doesn't appears anymore after recompilation with botan 1.10.1
Tested for 15 days now.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment