[nsd-users] NSD 4.2.0 intermittent segfaults @ libssl ?

A. Schulze sca at andreasschulze.de
Tue Jun 11 17:54:30 UTC 2019 


Am 11.06.19 um 18:02 schrieb PGNet Dev:
> I just bumped NSD
> 
> 	nsd -v
> 		NSD version 4.2.0
> 
> on a linux64 VM.
> 
> On axfrs, I'm seeing segfaults in libssl
> 
> 	Jun 11 08:53:24 ns03 nsd[12296]: axfr for example1.com. from 109.74.194.10
> 	Jun 11 08:53:24 ns03 kernel: [35762.840704] nsd[12296]: segfault at 560244acb618 ip 00007fefedb81406 sp 00007ffe6c552ac0 error 7 in libssl.so.1.1[7fefedb43000+86000]
> 	Jun 11 08:53:24 ns03 nsd[12246]: server 12296 died unexpectedly, restarting
> 	Jun 11 08:53:24 ns03 nsd[12225]: [2019-06-11 08:53:24.960] nsd[12246]: warning: server 12296 died unexpectedly, restarting
> 	Jun 11 08:53:25 ns03 nsd[12246]: process 12296 terminated with status 139
> 	Jun 11 08:53:25 ns03 nsd[12225]: [2019-06-11 08:53:25.030] nsd[12246]: warning: process 12296 terminated with status 139
> 	Jun 11 08:53:25 ns03 nsd[12297]: axfr for example2.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 nsd[12225]: [2019-06-11 08:53:25.557] nsd[12297]: info: axfr for example2.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 nsd[12225]: [2019-06-11 08:53:25.557] nsd[12297]: info: axfr for example3.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 nsd[12297]: axfr for example3.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 nsd[12297]: axfr for example4.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 nsd[12225]: [2019-06-11 08:53:25.565] nsd[12297]: info: axfr for example4.com. from 207.192.70.10
> 	Jun 11 08:53:25 ns03 kernel: [35763.583172] nsd[12297]: segfault at 560244acb618 ip 00007fefedb81406 sp 00007ffe6c552ac0 error 7 in libssl.so.1.1[7fefedb43000+86000]
> 
> Note, *NOT* on every axfr; some seem to work.
> 
> Just starting to troubleshoot here ...
> 
> Any obvious issues that are already known that might cause this?

Hello "PGNet Dev"

now, as you ask:

I see similar messages before I updated from 4.1.27 to 4.2.0
And now, as you mentioned that issue, I also found the segfault message :-)

>From what I see something bad must happen *after* AXFR is completed.

 - I see no warning/error on the consumer side
 - I don't use TLS for AXFR
 - it happened also on 4.1.27
 - I can't reproduce in an lab environment
 - none of my users asked me that they miss something

BTW: There is a draft ¹) "Message Digest for DNS Zones" to prove a transferred zone was received complete

I've added ²) the ldns-zone-digest tool in my ldns instance and can create and verify zone files.
Unfortunately not in this particilar installation :-/
Would be helpful if nsd could check such ZONEMD if available

Andreas


¹) https://tools.ietf.org/html/draft-wessels-dns-zone-digest-06
²) https://open.nlnetlabs.nl/pipermail/ldns-users/2018-November/000934.html

More information about the nsd-users mailing list