From owner-freebsd-stable@freebsd.org Wed Sep 27 20:00:54 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53061E0E19D for ; Wed, 27 Sep 2017 20:00:54 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from yavin.vindaloo.com (yavin.vindaloo.com [173.199.117.73]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "yavin.vindaloo.com", Issuer "Vindaloo Sign CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 30BE784E19 for ; Wed, 27 Sep 2017 20:00:53 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from anza.vindaloo.com (ool-45714982.dyn.optonline.net [69.113.73.130]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp.vindaloo.com", Issuer "Vindaloo Sign CA" (verified OK)) by yavin.vindaloo.com (Postfix) with ESMTPS id 32A1ED7B3C; Wed, 27 Sep 2017 16:00:52 -0400 (EDT) Received: from csh-desktop-vm00.loopone.com (h4.82.141.40.ip.windstream.net [40.141.82.4]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by anza.vindaloo.com (Postfix) with ESMTPSA id A501C101E2; Wed, 27 Sep 2017 16:00:51 -0400 (EDT) Date: Wed, 27 Sep 2017 16:00:49 -0400 From: Christopher Sean Hilton To: David Wolfskill Cc: freebsd-stable@freebsd.org Subject: Re: Bind9 + TCP_FASTOPEN => no rndc Message-ID: <20170927200033.pqwweoncqm4k627d@csh-desktop-vm00.loopone.com> References: <20170927173525.bspia3tpcu35yng3@kessel.vindaloo.com> <20170927175131.GE1165@albert.catwhisker.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20170927175131.GE1165@albert.catwhisker.org> User-Agent: NeoMutt/20170914 (1.9.0) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Sep 2017 20:00:54 -0000 On Wed, Sep 27, 2017 at 05:51:31PM +0000, David Wolfskill wrote: > On Wed, Sep 27, 2017 at 01:35:25PM -0400, Christopher Sean Hilton wrote: > > I'm trying to configure bind 9.11 as a nameserver on FreeBSD > > 11-STABLE. When the bind9 port compile it enables TCP_FASTOPEN but the > > changes haven't yet been baked into the GENERIC Kernel. I can't find a > > way to disable the use of TCP_FASTOPEN in bind at startup. Is the only > > way to fix this problem to build a new kernel with TCP_FASTOPEN > > enabled? > >=20 > > -- Chris > > .... >=20 > ? I'm running bind99-9.9.11 (dns/bind99) on a couple systems running > stable/11 (amd64; currently r323950). The kernels are (lightly) > customized, based on GENERIC. I don't recall setting anything involving > TCP_FASTOPEN on anything, and have used rndc without issue.... >=20 > Perhaps you could elaborate a bit on exactly what you are trying to do > and how the system responds? (The systems in question run kernels that > are built on a dedicated "build machine" -- which is presently powered > off for the day. I can bring it up for a reality check, should that be > wanted.) >=20 Good afternoon David, Thanks for the help! I'm running ports ?net?/bind911 of FreeBSD 11-STABLE with the GENERIC kernel. When I start bind, I get this in my logs: Sep 27 13:16:13 alderaan named[30169]: starting BIND 9.11.2 Sep 27 13:16:13 alderaan named[30169]: running on FreeBSD amd64 11.1-PREREL= EASE FreeBSD 11.1-PRERELEASE #2 r321128: Tue Jul 18 11:30:08 EDT 2017 r= oot@freebsd-mule:/usr/obj/usr/src/sys/GENERIC Sep 27 13:16:13 alderaan named[30169]: built with '--localstatedir=3D/var' = '--disable-linux-caps' '--disable-symtable' '--with-randomdev=3D/dev/random= ' '--with-libxml2=3D/usr/local' '--with-readline=3D-L/usr/local/lib -ledit'= '--with-dlopen=3Dyes' '--sysconfdir=3D/usr/local/etc/namedb' '--disable-dn= stap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--= with-idn=3D/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefil= e' '--with-lmdb' '--without-python' '--disable-querytrace' '--enable-rpz-ns= dname' '--enable-rpz-nsip' 'STD_CDEFINES=3D-DDIG_SIGCHASE=3D1' '--enable-th= reads' '--without-gssapi' '--with-openssl=3D/usr' '--disable-native-pkcs11'= '--with-dlz-filesystem=3Dyes' '--without-gost' '--prefix=3D/usr/local' '--= mandir=3D/usr/local/man' '--infodir=3D/usr/local/info/' '--build=3Damd64-po= rtbld-freebsd11.0' 'build_alias=3Damd64-portbld-freebsd11.0' 'CC=3Dcc' 'CFL= AGS=3D-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/inclu= de -fno-strict-aliasing' 'LDFLAGS=3D -fstack-protector' 'LIBS=3D-L/usr/loca= l/lib' 'CPPFLAGS=3D-D Sep 27 13:16:13 alderaan named[30169]: running as: named -t /var/named -u b= ind -c /etc/namedb/named.conf Sep 27 13:16:13 alderaan named[30169]: ------------------------------------= ---------------- Sep 27 13:16:13 alderaan named[30169]: BIND 9 is maintained by Internet Sys= tems Consortium, Sep 27 13:16:13 alderaan named[30169]: Inc. (ISC), a non-profit 501(c)(3) p= ublic-benefit=20 Sep 27 13:16:13 alderaan named[30169]: corporation. Support and training f= or BIND 9 are=20 Sep 27 13:16:13 alderaan named[30169]: available at https://www.isc.org/sup= port Sep 27 13:16:13 alderaan named[30169]: ------------------------------------= ---------------- Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error: Sep 27 13:16:13 alderaan named[30169]: setsockopt(21, TCP_FASTOPEN) failed = with Protocol not available Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error: Sep 27 13:16:13 alderaan named[30169]: setsockopt(22, TCP_FASTOPEN) failed = with Protocol not available Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error: Sep 27 13:16:13 alderaan named[30169]: setsockopt(23, TCP_FASTOPEN) failed = with Protocol not available Sep 27 13:16:13 alderaan named[30169]: socket.c:5695: unexpected error: Sep 27 13:16:13 alderaan named[30169]: setsockopt(24, TCP_FASTOPEN) failed = with Protocol not available Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel 127.0.0= =2E1#953: file not found Sep 27 13:16:13 alderaan named[30169]: couldn't add command channel ::1#953= : file not found Sep 27 13:16:13 alderaan named[30169]: all zones loaded I haven't read the bind source code yet but I'm assuming that the inability to start rndc at 127.0.0.1#953 is related to the TCP_FASTOPEN error from the log above. Not much Google reveals this thread:=20 https://forums.freebsd.org/threads/59367/ Which talks about the problem and mentions one, and only one, solution of rebuilding the kernel to support TCP_FASTOPEN. That solution is kind of heavyweight for me. If you read more about tcp_fastopen, you'll get indications that the code may be too green right now to be enabled by default. Please pardon any file blunders here, I'm at work so it's not easy to research this completely. From what I can see though, with the option id defined in but it needs to be compiled in and then enabled via sysctl if you want to actually use it.=20 I was hoping that bind had a runtime option disable this feature but I can't find it anywhere. I'll look at the bind source code tonight. I'll be hoping to find a config switch or something that can turn TCP_FASTOPEN off even if the header files say that it's available. If it's there, I'll submit a patch to the port's config to toggle that switch at compile time. --=20 Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)____.___o____..___..o...________ooO..._____________________ Christopher Sean Hilton [chris/at/vindaloo/dot/com]