xfrm_larval_drop required for bind over ipsec

Mark Andrews Mark_Andrews at isc.org
Thu Apr 24 10:48:51 UTC 2008


> I wanted to follow up on a problem originally reported in this thread
> [http://marc.info/?t=119826505600004&r=1&w=2].  Running bind 9.4.1,
> when zone transfers are to happen over an ipsec connection, but the
> ipsec connection goes away, named effectively stops working on all
> interfaces.
> 
> After tracking down a redhat bug that confirmed the issue
> [https://bugzilla.redhat.com/show_bug.cgi?id=427629] I forwarded the
> problem on to the lkml, and David Miller quickly suggested the
> following [http://lkml.org/lkml/2008/4/17/478]:
> 
> echo "1" >/proc/sys/net/core/xfrm_larval_drop
> 
> This does appear to fix the issue.  The problem is that
> xfrm_larval_drop defaults to 0 in newer kernels, which apparently
> causes io over an ipsec connection block when the link is unavailable.
>  It would seem bind, at least as of 9.4.1, does not anticipate this
> behavior, and hangs rather dramatically in the process.

	How can we anticipate broken kernel behaviour?

	If a socket is marked as non-blocking and it blocks it is
	a kernel bug and named can do nothing about it.

	Mark
 
> -
> Matt LaPlante
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list