Under opendnssec processing load, bind9 segfaults under v 4.10.2. The only mitigation was to add systemd restart override.
Details here: https://gitlab.isc.org/isc-projects/bind9/-/issues/4533 Coredumps available.
The ISC devs closed the issue with this comment:
"Yeah, SoftHSM2 is pretty much broken with OpenSSL 3. If you want this to work, you need to compile both BIND 9 and SoftHSM2 to be compiled with OpenSSL 1.1. (The worst you can do is to compile one with OpenSSL 3 and second with OpenSSL 1.1, SoftHSM2 leaks symbols into the address space.)
There’s also a libnss file provider that can be used as alternative. But combining old and new will not work here. SoftHSM2 is basically in maintained as of not.
There’s nothing we can do here on BIND 9 side. There will be support for OpenSSL 3 providers in future, but not in the version near EOL."
Looks like the freeipa team has some choices to make re: named-bind/opendnssec/softhsm2/pcks11/openssl !
Thanks
Harry
freeipa-users@lists.fedorahosted.org