[DNS] BIND 9.9.9-P8 issue

Daniel Rodrigues dro1976 at gmail.com
Mon Aug 21 19:34:46 UTC 2017


Hi,

We don't have any IPv6 interfaces and normally IPv6 network stack is
disabled (kernel module is blacklisted).
But we never use this flag, so in doubt I will try this tomorrow.

Thank you.
Daniel

2017-08-21 11:12 GMT+02:00 Peter <info at sunnyday.sk>:

> Hi,
>
> We had same symptom/issue on several instances where IPv6 network stack
> was enabled on system (even with local IPv6 address only)
> By default BIND will start to listen and try to use IPv6 transport for
> outgoing iterative query.
>
> After some troubleshooting, we realized that cached NS record had only
> remaining IPv6 adddresses valid which cause issue in retrieving few list of
> NS
>
> If you do not have full IPv6 connectivity implemented on network and I can
> suggest based on this experience to set BIND with flag -4 (use IPv4
> transport only)
>
> Peter
>
> On 2017-08-21 10:33, Daniel Rodrigues wrote:
>
>> Hello guys,
>>
>> We are facing to an important issue which is strongly annoying us on
>> our DNS resolvers. We saw our cache decrease and we got lot of
>> SERVFAIL/recursion during this period. The only way to solve it is to
>> flush cache or reboot BIND. Our version is 9.9.9-P8 running on RHEL
>> 6.6. We already got it 6 times in 1 week on different servers.
>>
>> Here some logs when the problem appears :
>>
>> named[10616]: database: warning: delete_node: dns_rbt_findnode(nsec):
>> partial match
>>
>> named[10616]: general: warning: checkhints: unable to get root NS
>> rrset from cache: not found
>>
>> general: info: sockmgr 0x7f4419f240f0: maximum number of FD events
>> (64) received
>>
>> Below one link to see one cacti’s screen showing the performance:
>>
>> https://drive.google.com/file/d/0B3pglqx0sbOiN3ZWQmM3MDdYOTQ
>> /view?usp=sharing
>> [1]
>>
>> Do you have any idea to solve it definitively ? Is it an exploit bug ?
>>
>>
>> Thanks for you help.
>>
>>
>>
>> Links:
>> ------
>> [1]
>> https://drive.google.com/file/d/0B3pglqx0sbOiN3ZWQmM3MDdYOTQ
>> /view?usp=sharing
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170821/8cc1e4ae/attachment.html>


More information about the bind-users mailing list