xfrm_larval_drop required for bind over ipsec

Kevin Darcy kcd at chrysler.com
Fri Apr 18 16:44:18 UTC 2008


Matt LaPlante wrote:
> I wanted to follow up on a problem originally reported in this thread
> [http://marc.info/?t=119826505600004&r=1&w=2].  Running bind 9.4.1,
> when zone transfers are to happen over an ipsec connection, but the
> ipsec connection goes away, named effectively stops working on all
> interfaces.
>
> After tracking down a redhat bug that confirmed the issue
> [https://bugzilla.redhat.com/show_bug.cgi?id=427629] I forwarded the
> problem on to the lkml, and David Miller quickly suggested the
> following [http://lkml.org/lkml/2008/4/17/478]:
>
> echo "1" >/proc/sys/net/core/xfrm_larval_drop
>
> This does appear to fix the issue.  The problem is that
> xfrm_larval_drop defaults to 0 in newer kernels, which apparently
> causes io over an ipsec connection block when the link is unavailable.
>  It would seem bind, at least as of 9.4.1, does not anticipate this
> behavior, and hangs rather dramatically in the process.
>   
Hmmm... how exactly is BIND supposed to "anticipate" that a socket which 
is set to non-blocking will in fact sometimes block, if the connection 
is an IPsec one which happens to be in a "larval" state at some 
particular point in time? What should BIND do differently to cope with 
this scenario? Some guidance from the kernel developers and/or IPsec 
gurus might be helpful.

For some odd reason, "larval" makes me think of "bug". But maybe that's 
just me...

                                                                         
                  - Kevin




More information about the bind-users mailing list