Bind9 + TCP_FASTOPEN => no rndc

Christopher Sean Hilton chris at vindaloo.com
Wed Sep 27 20:00:54 UTC 2017 

On Wed, Sep 27, 2017 at 05:51:31PM +0000, David Wolfskill wrote:
> On Wed, Sep 27, 2017 at 01:35:25PM -0400, Christopher Sean Hilton wrote:
> > I'm trying to configure bind 9.11 as a nameserver on FreeBSD
> > 11-STABLE. When the bind9 port compile it enables TCP_FASTOPEN but the
> > changes haven't yet been baked into the GENERIC Kernel. I can't find a
> > way to disable the use of TCP_FASTOPEN in bind at startup. Is the only
> > way to fix this problem to build a new kernel with TCP_FASTOPEN
> > enabled?
> > 
> > -- Chris
> > ....
> 
> ?  I'm running bind99-9.9.11 (dns/bind99) on a couple systems running
> stable/11 (amd64; currently r323950).  The kernels are (lightly)
> customized, based on GENERIC.  I don't recall setting anything involving
> TCP_FASTOPEN on anything, and have used rndc without issue....
> 
> Perhaps you could elaborate a bit on exactly what you are trying to do
> and how the system responds?  (The systems in question run kernels that
> are built on a dedicated "build machine" -- which is presently powered
> off for the day.  I can bring it up for a reality check, should that be
> wanted.)
> 

Good afternoon David,

Thanks for the help! I'm running ports ?net?/bind911 of FreeBSD
11-STABLE with the GENERIC kernel. When I start bind, I get this in my
logs:

Sep 27 13:16:13 alderaan named[30169]: starting BIND 9.11.2 <id:0a2b929>
Sep 27 13:16:13 alderaan named[30169]: running on FreeBSD amd64 11.1-PRERELEASE FreeBSD 11.1-PRERELEASE #2 r321128: Tue Jul 18 11:30:08 EDT 2017     root at freebsd-mule:/usr/obj/usr/src/sys/GENERIC
Sep 27 13:16:13 alderaan named[30169]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--with-lmdb' '--without-python' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-threads' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.0' 'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-D
Sep 27 13:16:13 alderaan named[30169]: running as: named -t /var/named -u bind -c /etc/namedb/named.conf
Sep 27 13:16:13 alderaan named[30169]: ----------------------------------------------------
Sep 27 13:16:13 alderaan named[30169]: BIND 9 is maintained by Internet Systems Consortium,
Sep 27 13:16:13 alderaan named[30169]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Sep 27 13:16:13 alderaan named[30169]: corporation.  Support and training for BIND 9 are 
Sep 27 13:16:13 alderaan named[30169]: available at https://www.isc.org/support
Sep 27 13:16:13 alderaan named[30169]: ----------------------------------------------------
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(21, TCP_FASTOPEN) failed with Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(22, TCP_FASTOPEN) failed with Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(23, TCP_FASTOPEN) failed with Protocol not available
Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error:
Sep 27 13:16:13 alderaan named[30169]: setsockopt(24, TCP_FASTOPEN) failed with Protocol not available
Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel 127.0.0.1#953: file not found
Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel ::1#953: file not found
Sep 27 13:16:13 alderaan named[30169]: all zones loaded


I haven't read the bind source code yet but I'm assuming that the
inability to start rndc at 127.0.0.1#953 is related to the
TCP_FASTOPEN error from the log above. Not much Google reveals this
thread: 

     https://forums.freebsd.org/threads/59367/

Which talks about the problem and mentions one, and only one, solution
of rebuilding the kernel to support TCP_FASTOPEN.

That solution is kind of heavyweight for me. If you read more about
tcp_fastopen, you'll get indications that the code may be too green
right now to be enabled by default. Please pardon any file blunders
here, I'm at work so it's not easy to research this completely. From
what I can see though, with the option id defined in <socket/tcp.h>
but it needs to be compiled in and then enabled via sysctl if you want
to actually use it. 

I was hoping that bind had a runtime option disable this feature but I
can't find it anywhere. I'll look at the bind source code
tonight. I'll be hoping to find a config switch or something that can
turn TCP_FASTOPEN off even if the header files say that it's
available. If it's there, I'll submit a patch to the port's config to
toggle that switch at compile time.

-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

More information about the freebsd-stable mailing list