In message <CAMCLrkHffDnf2gPtS35NhFmn7w6XkKw=f4vw-hyyflpqfhr...@mail.gmail.com> , Mark Boolootian writes: > We're in the process of standing up new anycast > name servers. They are running BIND 9.10.3-P4 > on FreeBSD 10.2-RELEASE-p9. > > We've only got one in service so far, but we've > run into a very difficult issue. We are episodically > seeing the BIND port 53 listener that is bound to the > loopback (anycast) address exit. Sometimes both > TCP and UDP listeners quit, in other instances just > the TCP listener quits. Note that this is a recursive > server. > > Here's an example of what I find in the BIND logs: > > 29-Apr-2016 12:38:06.849 network: no longer listening on 192.168.1.1#53 > 29-Apr-2016 12:38:06.861 network: listening on IPv4 interface lo1, > 192.168.1.1#53 > 29-Apr-2016 12:38:06.863 network: binding TCP socket: permission denied > > lo1 is the anycast address for this box. BIND is still happily > listening for TCP:53 on the interface address. The permission > denied complaint is because BIND is running chroot.
Chroot has zero impact on this. running with -u will but you can configure FreeBSD to allow the user named is running as to bind to port 53. https://deepthought.isc.org/article/AA-00621/50/How-to-bind-to-port-53-when-using-named-u-bind-with-FreeBSD.html > We could > fix that, but it won't do anything to help explain why BIND stops > listening on the loopback interface. It's because the interface goes away. named listens to the routing socket and rescans the interfaces on changes. The interface is going away and returning. > No sign of trouble in the system logs. No evidence that there is > an issue with the loopback interface disappearing. > > I've got lots of logging enabled in BIND, and the best I > can tell is that it appears the unbind might be happening > around the time when a zone transfer from the RPZ master > occurs, but there is nothing helpful in the logs beyond the > above announcement of 'no longer listening' (that message doesn't > get written into the debug log file, so it is hard to correlate > time between debug messages and the unbind). No obvious > evidence of malfeasance is present. > > We've seen this happen three times over the past seven days. > Twice it was just the TCP listener that dropped, once it was > both TCP and UDP. > > Any thoughts on what rocks to turn over to find some clue > on what might be causing this would be greatly appreciated. > I can't tell if this has the smell of a bug or not at this point. > > thank you, > mark > --- > Mark Boolootian > UC Santa Cruz > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
