loss of masters over ipsec hoses bind
Mark_Andrews at isc.org
Sun Dec 23 02:57:48 UTC 2007
> I'm currently running Bind 9.4.1 (Ubuntu Gutsy). I have several zones
> in master->slave setups, which normally works just fine. The other
> day, however, I ran into an odd problem. A couple of the slave zones
> generally update over an ipsec connected network. The ipsec
> connection went away, and shortly thereafter bind royally wedged
> itself, refusing to serve any data (including basic forward lookups)
> and was not even responding to rndc restarts. It took me a good while
> of restarting the system and poking around logs to decide to strace
> the process, which eventually lead me to removing the ipsec-dependant
> slave zones from the config. As soon as I did this, Bind became
> stable again. Interestingly, zones which updated over public IP space
> behaved fine, even if the master server was unreachable. It was only
> zones that were trying to go over the down ipsec connection that hosed
> the daemon.
> This whole issue is logged in a bit more detail here, including output
> from strace:
> I can (apparently) reproduce this issue again with little difficulty,
> so I'd be glad to help debug it.
> Matt LaPlante
I would say that some I/O is blocking when it shouldn't
with sockets which use ipsec. If this is the case it is
a kernel bug and named can't do anything to prevent it.
Named marks all sockets as non-blocking.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users