Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Lots of "RSA_verify failed" after upgrade to 9.7.7

297 views
Skip to first unread message

Peter Olsson

unread,
Nov 5, 2012, 4:28:13 AM11/5/12
to bind-...@lists.isc.org
Yesterday I upgraded our slave DNS (running FreeBSD 7.4)
from bind 9.7.6.4 to 9.7.7. The server uses bind97 from
ports.

After that upgrade I get lots of these in syslog:

RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263:

I have never seen these before.
I tried Google but got no recent results.
Anyone know what this means and how to get rid
of these errors?

Thanks!

Peter Olsson

Mark Andrews

unread,
Nov 5, 2012, 5:21:36 AM11/5/12
to Peter Olsson, bind-...@isc.org

In message <20121105092...@pol-server.leissner.se>, Peter Olsson writes
:
Ignore them. They will be addressed in the next maintenance release.

> Thanks!
>
> Peter Olsson
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Matus UHLAR - fantomas

unread,
Nov 11, 2012, 1:40:47 PM11/11/12
to bind-...@lists.isc.org
>In message <20121105092...@pol-server.leissner.se>, Peter Olsson writes
>> Yesterday I upgraded our slave DNS (running FreeBSD 7.4)
>> from bind 9.7.6.4 to 9.7.7. The server uses bind97 from
>> ports.
>>
>> After that upgrade I get lots of these in syslog:
>>
>> RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/s
>> rc/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263:
>>
>> I have never seen these before.
>> I tried Google but got no recent results.
>> Anyone know what this means and how to get rid
>> of these errors?

On 05.11.12 21:21, Mark Andrews wrote:
>Ignore them. They will be addressed in the next maintenance release.

But not for 9.7, since 9.7 is EOL since november 2012. Correct?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.

Evan Hunt

unread,
Nov 11, 2012, 1:46:26 PM11/11/12
to bind-...@lists.isc.org
> But not for 9.7, since 9.7 is EOL since november 2012. Correct?

Yes, that's correct.

If you're stuck on 9.7 for the time being, you can silence
the RSA_verify warnings with the change I mentioned in
http://www.mail-archive.com/bind-...@lists.isc.org/msg14747.html

(It's not the fix we used for the maintenance release, but
it'll serve.)

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

Noel Butler

unread,
Mar 31, 2013, 11:25:22 PM3/31/13
to bind-...@lists.isc.org
On Mon, 2012-11-05 at 21:21 +1100, Mark Andrews wrote:


Ignore them.  They will be addressed in the next maintenance release.

it was, but now seems to have reared its ugly head again in 9.9.2-p2

Apr  1 12:20:35 fox named[589]: RSA_verify failed
Apr  1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263:
Apr  1 12:20:35 fox named[589]: RSA_verify failed
Apr  1 12:20:35 fox named[589]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263:

signature.asc

Mark Andrews

unread,
Apr 1, 2013, 12:03:47 AM4/1/13
to Noel Butler, bind-...@isc.org
BIND 9.7.7 and BIND 9.9.2 were both released at the same time (Oct
9, 2012).

BIND 9.9.2-P1 and BIND 9.9.2-P2 are security releases.

The betas of the next maintenance release 9.9.3b1 and 9.9.3b2
contain the fix.

Mark

Noel Butler

unread,
Apr 1, 2013, 2:14:46 AM4/1/13
to Mark Andrews, bind-...@isc.org
On Mon, 2013-04-01 at 15:03 +1100, Mark Andrews wrote: 
In message <1364786722.6226.2.camel@tardis>, Noel Butler writes:
> 
> On Mon, 2012-11-05 at 21:21 +1100, Mark Andrews wrote:
> 
> 
> > 
> > Ignore them.  They will be addressed in the next maintenance release.
> >  
> 
> 
> it was, but now seems to have reared its ugly head again in 9.9.2-p2
> 
> Apr  1 12:20:35 fox named[589]: RSA_verify failed
> Apr  1 12:20:35 fox named[589]: error:04077068:rsa
> routines:RSA_verify:bad signature:rsa_sign.c:263:
> Apr  1 12:20:35 fox named[589]: RSA_verify failed
> Apr  1 12:20:35 fox named[589]: error:04077068:rsa
> routines:RSA_verify:bad signature:rsa_sign.c:263:

BIND 9.7.7 and BIND 9.9.2 were both released at the same time (Oct
9, 2012).

BIND 9.9.2-P1 and BIND 9.9.2-P2 are security releases.

The betas of the next maintenance release 9.9.3b1 and 9.9.3b2
contain the fix.

Using 9.9.3b3 on one nameserver now, yes all seems good
Have always used the latest version, applied a patch you gave me earlier, could of sworn it was fixed, unless I applied two patches and didnt think about second one. If b3 remains stable after a few days I'll throw it on main production.

Cheers


signature.asc
0 new messages