DNS Problem - host not found: (SERVFAIL)

Discussion in 'Installation/Configuration' started by djesys, Jul 5, 2022.

  1. djesys

    djesys Member

    nope, still "WARNING - DNSSEC ERROR: We are low on entropy. Not generating new Keys for counter.party. Please consider installing package haveged."

    looking right now into /usr/lib/systemd/system/haveged.service for configuration of haveged.

    Should I install a GUI to allow for more entropy ? Talking of a workaround....
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the entropy is fine if the value in /proc/sys/kernel/random/entropy_avail is higher than 200. I wonder why ISPConfig still reports it as being too low. Maybe you should consider as a workaround to create the zone without dnssec signing for now.

    is this server a virtual server and if yes, which virtualization do you use?
     
  3. djesys

    djesys Member

    Disabling DNSSEC did the trick!!
    named.conf.local is now written and likely all tests will succeed now.
    My hoster says is KVM.

    Thanks a bunch for your time !!

    PS: Maybe increasing the entropy pool size would make it work.

    it seems it is capped to 256

    Code:
    more /proc/sys/kernel/random/poolsize
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    KVM virtualization is fine.

    As I mentioned earlier, that's fine. ISPConfig tests if the entropy is below 200.

    Please create a file /tmp/test.php with this content:

    Code:
    <?php
    if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) echo "entropy too low\n";
    echo file_get_contents('/proc/sys/kernel/random/entropy_avail');
    
    then run:

    php /tmp/test.php

    and post the result.
     
  5. djesys

    djesys Member

    Code:
    root@b0x:/home/djesys# cat /tmp/test.php
    <?php
    if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) echo "entropy too low\n";
    echo file_get_contents('/proc/sys/kernel/random/entropy_avail');
    root@b0x:/home/djesys# php /tmp/test.php
    256
    root@b0x:/home/djesys#
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, ok. so the if part used in ispconfig bind plugin works, which is:
    Code:
    if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
                $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
                echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
                return false;
            }
    So I'm a bit out of ideas how you can still get that error message as entropy is fine and the code used to detect it seems to work too on your system
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Maybe something is draining entropy quickly while server.sh runs? See if 'echo 4096 > /proc/sys/kernel/random/poolsize' changes anything.
     
  8. buhler

    buhler Member

    The problem is that the bind plugin in ispconfig will test if entropy is less than 400.
    ipsconfig is not recognizing haveged as installed
    Debian changed entropy to 256 by default
    Operational system: Debian buster
    upload_2022-7-22_19-18-56.png

    upload_2022-7-22_18-59-46.png

    upload_2022-7-22_18-56-13.png

    upload_2022-7-22_18-52-55.png
     
    Last edited: Jul 23, 2022
    holykim, Steini86 and till like this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You're right, the entropy test in ISPConfig BIND plugin is inconsistent. There is one test for entropy 200 (which I posted) and another one for entropy 400. I've added an issue report in our bug tracker.
     
    buhler and Steini86 like this.
  10. buhler

    buhler Member

    thanks
     
  11. KoS

    KoS Member HowtoForge Supporter

  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The fix has been implemented already and is in dev channel and daily builds available, it will be part of the upcoming 3.2.9 release.
     
    holykim and KoS like this.

Share This Page