loss of masters over ipsec hoses bind

Mark Andrews Mark_Andrews at isc.org
Sun Dec 23 02:57:48 UTC 2007

> I'm currently running Bind 9.4.1 (Ubuntu Gutsy).  I have several zones
> in master->slave setups, which normally works just fine.  The other
> day, however, I ran into an odd problem.  A couple of the slave zones
> generally update over an ipsec connected network.  The ipsec
> connection went away, and shortly thereafter bind royally wedged
> itself, refusing to serve any data (including basic forward lookups)
> and was not even responding to rndc restarts.  It took me a good while
> of restarting the system and poking around logs to decide to strace
> the process, which eventually lead me to removing the ipsec-dependant
> slave zones from the config.  As soon as I did this, Bind became
> stable again.  Interestingly, zones which updated over public IP space
> behaved fine, even if the master server was unreachable.  It was only
> zones that were trying to go over the down ipsec connection that hosed
> the daemon.
> This whole issue is logged in a bit more detail here, including output
> from strace:
> https://bugs.launchpad.net/ubuntu/+source/bind/+bug/177489
> I can (apparently) reproduce this issue again with little difficulty,
> so I'd be glad to help debug it.
> -
> Matt LaPlante

	I would say that some I/O is blocking when it shouldn't
	with sockets which use ipsec.  If this is the case it is
	a kernel bug and named can't do anything to prevent it.
	Named marks all sockets as non-blocking.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list