On Wed, Sep 27, 2017 at 05:51:31PM +0000, David Wolfskill
wrote:> On Wed, Sep 27, 2017 at 01:35:25PM -0400, Christopher Sean Hilton wrote:
> > I'm trying to configure bind 9.11 as a nameserver on FreeBSD
> > 11-STABLE. When the bind9 port compile it enables TCP_FASTOPEN but the
> > changes haven't yet been baked into the GENERIC Kernel. I
can't find a
> > way to disable the use of TCP_FASTOPEN in bind at startup. Is the only
> > way to fix this problem to build a new kernel with TCP_FASTOPEN
> > enabled?
> >
> > -- Chris
> > ....
>
> ? I'm running bind99-9.9.11 (dns/bind99) on a couple systems running
> stable/11 (amd64; currently r323950). The kernels are (lightly)
> customized, based on GENERIC. I don't recall setting anything
involving
> TCP_FASTOPEN on anything, and have used rndc without issue....
>
> Perhaps you could elaborate a bit on exactly what you are trying to do
> and how the system responds? (The systems in question run kernels that
> are built on a dedicated "build machine" -- which is presently
powered
> off for the day. I can bring it up for a reality check, should that be
> wanted.)
>
Good afternoon David,
Thanks for the help! I'm running ports ?net?/bind911 of FreeBSD
11-STABLE with the GENERIC kernel. When I start bind, I get this in my
logs:
Sep 27 13:16:13 alderaan named[30169]: starting BIND 9.11.2 <id:0a2b929>
Sep 27 13:16:13 alderaan named[30169]: running on FreeBSD amd64 11.1-PRERELEASE
FreeBSD 11.1-PRERELEASE #2 r321128: Tue Jul 18 11:30:08 EDT 2017 root at
freebsd-mule:/usr/obj/usr/src/sys/GENERIC
Sep 27 13:16:13 alderaan named[30169]: built with '--localstatedir=/var'
'--disable-linux-caps' '--disable-symtable'
'--with-randomdev=/dev/random' '--with-libxml2=/usr/local'
'--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes'
'--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap'
'--disable-filter-aaaa' '--disable-fixed-rrset'
'--without-geoip' '--with-idn=/usr/local'
'--enable-ipv6' '--with-libjson' '--disable-largefile'
'--with-lmdb' '--without-python' '--disable-querytrace'
'--enable-rpz-nsdname' '--enable-rpz-nsip'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-threads'
'--without-gssapi' '--with-openssl=/usr'
'--disable-native-pkcs11' '--with-dlz-filesystem=yes'
'--without-gost' '--prefix=/usr/local'
'--mandir=/usr/local/man' '--infodir=/usr/local/info/'
'--build=amd64-portbld-freebsd11.0'
'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CFLAGS=-O2
-pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include
-fno-strict-aliasing' 'LDFLAGS= -fstack-protector'
'LIBS=-L/usr/local/lib' 'CPPFLAGS=-D
Sep 27 13:16:13 alderaan named[30169]: running as: named -t /var/named -u bind
-c /etc/namedb/named.conf
Sep 27 13:16:13 alderaan named[30169]:
----------------------------------------------------
Sep 27 13:16:13 alderaan named[30169]: BIND 9 is maintained by Internet Systems
Consortium,
Sep 27 13:16:13 alderaan named[30169]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Sep 27 13:16:13 alderaan named[30169]: corporation. Support and training for
BIND 9 are
Sep 27 13:16:13 alderaan named[30169]: available at https://www.isc.org/support
Sep 27 13:16:13 alderaan named[30169]:
----------------------------------------------------
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(21, TCP_FASTOPEN) failed with
Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(22, TCP_FASTOPEN) failed with
Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(23, TCP_FASTOPEN) failed with
Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(24, TCP_FASTOPEN) failed with
Protocol not available
Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel
127.0.0.1#953: file not found
Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel ::1#953:
file not found
Sep 27 13:16:13 alderaan named[30169]: all zones loaded
I haven't read the bind source code yet but I'm assuming that the
inability to start rndc at 127.0.0.1#953 is related to the
TCP_FASTOPEN error from the log above. Not much Google reveals this
thread:
https://forums.freebsd.org/threads/59367/
Which talks about the problem and mentions one, and only one, solution
of rebuilding the kernel to support TCP_FASTOPEN.
That solution is kind of heavyweight for me. If you read more about
tcp_fastopen, you'll get indications that the code may be too green
right now to be enabled by default. Please pardon any file blunders
here, I'm at work so it's not easy to research this completely. From
what I can see though, with the option id defined in <socket/tcp.h>
but it needs to be compiled in and then enabled via sysctl if you want
to actually use it.
I was hoping that bind had a runtime option disable this feature but I
can't find it anywhere. I'll look at the bind source code
tonight. I'll be hoping to find a config switch or something that can
turn TCP_FASTOPEN off even if the header files say that it's
available. If it's there, I'll submit a patch to the port's config
to
toggle that switch at compile time.
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]