Under opendnssec processing load, bind9 segfaults under v 4.10.2. The
only mitigation was to add systemd restart override.
Details here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4533
Coredumps available.
The ISC devs closed the issue with this comment:
"Yeah, SoftHSM2 is pretty much broken with OpenSSL 3. If you want this
to work, you need to compile both BIND 9 and SoftHSM2 to be compiled
with OpenSSL 1.1. (The worst you can do is to compile one with OpenSSL 3
and second with OpenSSL 1.1, SoftHSM2 leaks symbols into the address space.)
There’s also a libnss file provider that can be used as alternative. But
combining old and new will not work here. SoftHSM2 is basically in
maintained as of not.
There’s nothing we can do here on BIND 9 side. There will be support for
OpenSSL 3 providers in future, but not in the version near EOL."
Looks like the freeipa team has some choices to make re:
named-bind/opendnssec/softhsm2/pcks11/openssl !
Thanks
Harry