Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PRNG not seeded, service won't start

642 views
Skip to first unread message

Howard, Christopher

unread,
Sep 17, 2018, 7:12:07 PM9/17/18
to bind-...@lists.isc.org
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue on CentOS 7 and was able to fix it by making sure that rngd is running before the named service starts. That same fix is not working for CentOS 6. I'm at a loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve this (besides upgrading this box to CentOS 7)?

-Christopher

Alberto Colosi

unread,
Sep 18, 2018, 3:36:17 AM9/18/18
to bind-...@lists.isc.org

are your compiler and libs updated ?




From: bind-users <bind-user...@lists.isc.org> on behalf of Howard, Christopher <Christoph...@utc.edu>
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-...@lists.isc.org
Subject: PRNG not seeded, service won't start
 

Alberto Colosi

unread,
Sep 18, 2018, 3:52:37 AM9/18/18
to bind-...@lists.isc.org

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom

Tony Finch

unread,
Sep 18, 2018, 4:34:01 AM9/18/18
to Howard, Christopher, bind-...@lists.isc.org
Howard, Christopher <Christoph...@utc.edu> wrote:

> Does any one have any ideas of what I'm missing or what I can do to
> resolve this (besides upgrading this box to CentOS 7)?

Try setting `random-device "/dev/urandom";` in `named.conf`.

See https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Trafalgar: Variable 3 in northwest, otherwise northerly 4 or 5. Slight or
moderate, occasionally rough in north until later. Fair. Good.

Howard, Christopher

unread,
Sep 18, 2018, 9:41:37 AM9/18/18
to h.re...@thelounge.net, bind-...@lists.isc.org
I've tried this one. It doesn't work. There is plenty of entropy on the box, but it still won't start with the same error.

-Christopher


On Tue, 2018-09-18 at 01:22 +0200, Reindl Harald wrote:
https://wiki.archlinux.org/index.php/Haveged

Am 18.09.18 um 01:11 schrieb Howard, Christopher:
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the
service refuses to start. This is on a CentOS 6.10 machine. I ran into
the same issue on CentOS 7 and was able to fix it by making sure that
rngd is running before the named service starts. That same fix is not
working for CentOS 6. I'm at a loss as to how to fix this and Google is
failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator
cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Howard, Christopher

unread,
Sep 18, 2018, 9:42:58 AM9/18/18
to al...@hotmail.com, bind-...@lists.isc.org
Those are both good. Recent versions of bind are now using OpenSSL for random number generation and not /dev/random or /dev/urandom. Since the old version still works the /dev devices are obviously working.

-Christopher


On Tue, 2018-09-18 at 07:52 +0000, Alberto Colosi wrote:

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom



From: bind-users <bind-user...@lists.isc.org> on behalf of Howard, Christopher <Christoph...@utc.edu>
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-...@lists.isc.org
Subject: PRNG not seeded, service won't start
 
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue on CentOS 7 and was able to fix it by making sure that rngd is running before the named service starts. That same fix is not working for CentOS 6. I'm at a loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve this (besides upgrading this box to CentOS 7)?

-Christopher

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Howard, Christopher

unread,
Sep 18, 2018, 9:44:29 AM9/18/18
to d...@dotat.at, bind-...@lists.isc.org
I found that link previously and tried it. It didn't complain about that not being a valid setting, but it didn't change the outcome. I'm beginning to believe I may just have to upgrade to CentOS 7. It needs to be done at some point anyway, I just didn't want to do it now.

-Christopher


On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:
Howard, Christopher <Christoph...@utc.edu> wrote:

Does any one have any ideas of what I'm missing or what I can do to
resolve this (besides upgrading this box to CentOS 7)?





Howard, Christopher
unread,
Sep 20, 2018, 2:27:12 PM9/20/18
to h.re...@thelounge.net, d...@dotat.at, bind-...@lists.isc.org







I'm not the only one! Whew, I thought I was losing my mind.







I have rngd and haveged running and there is large pool of entropy and I still can't get newer versions of bind to start. Very frustrating.









-Christopher














On Thu, 2018-09-20 at 20:14 +0200, Reindl Harald wrote:




OK, this is *really* foolish





on a heavily used machine with 2 days uptime, rngd and haveged there is


*for sure* enough random





bind-9.11.4-8.P1.fc28.x86_64 just found on Fedora koji





Sep 20 20:08:17 srv-rhsoft named[988479]:


../../../lib/dns/openssl_link.c:294: fatal error:


Sep 20 20:08:17 srv-rhsoft named[988479]: OpenSSL pseudorandom number


generator cannot be initialized (see the `PRNG not seeded' message in


the OpenSSL FAQ)


Sep 20 20:08:17 srv-rhsoft named[988479]: exiting (due to fatal error in


library)





who the hell does such invasive obviously not proper tested changes in


minor updates?





Am 18.09.18 um 15:44 schrieb Howard, Christopher:




I found that link previously and tried it. It didn't complain about that


not being a valid setting, but it didn't change the outcome. I'm


beginning to believe I may just have to upgrade to CentOS 7. It needs to


be done at some point anyway, I just didn't want to do it now.





-Christopher








On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:




Howard, Christopher
unread,
Sep 20, 2018, 10:33:44 PM9/20/18
to Reindl Harald, bind-...@lists.isc.org






I’ve downgraded as well, but at some point the last working version will be end of life.  Hopefully you get somewhere with your bug report.




-Christopher








On Sep 20, 2018, at 3:02 PM, Reindl Harald <h.re...@thelounge.net> wrote:






well, i just downgraded since it's a resolver without dnssec at all



https://bugzilla.redhat.com/show_bug.cgi?id=1631515



Am 20.09.18 um 20:27 schrieb Howard, Christopher:


0 new messages