Skip to content

log error when using common address:port for listen-on and transfer-source/notify-source

Summary

With a linux kernel (epoll-capable up to linux-5.14-rc4 and likely beyond), previously one could configure:

listen-on { 192.0.2.9; };
transfer-source 192.0.2.9 port 53;
notify-source 192.0.2.9 port 53;

or

listen-on-v6 { 2001:db8::9; };
transfer-source-v6 2001:db8::9 port 53;
notify-source-v6 2001:db8::9 port 53;

and things would work fine.

Since 53f0b6c3 the above no longer works on linux. The issue has to do with multiple UDP sockets on the same port being opened, one serviced by epoll and then other not. As a result, incoming packets get wedged, ala:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
[...]
udp      768      0 192.0.2.9:53         0.0.0.0:*                          
udp        0      0 192.0.2.9:53         0.0.0.0:*

This results in a portion of the queries being dropped unanswered.

I believe the bug is that with the use of netmgr/libuv, bind should no longer allow transfer-source and notify-source, or their IPv6 counterparts, to use the same address:port being listened on, or alternatively, things need to be fixed in order to allow coexistence.

BIND version used

BIND 9.16.19 (Stable Release) <id:df0e751>
running on Linux x86_64 5.14.0-rc4 #60 SMP Fri Aug 27 01:06:50 UTC 2021
built by make with '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.16.19' '--htmldir=/usr/share/doc/bind-9.16.19/html' '--with-sysroot=/' '--libdir=/usr/lib64' 'AR=/usr/bin/x86_64-pc-linux-gnu-ar' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--with-openssl=/usr' '--without-cmocka' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gssapi' '--without-json-c' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-libxml2' '--with-zlib' '--without-python' '--enable-symtable' '--without-maxminddb' '--disable-geoip' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe -ggdb' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
compiled by GCC 10.3.0
compiled with OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
compiled with libuv version: 1.41.1
linked to libuv version: 1.42.1-dev
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Configure:

listen-on { 192.0.2.9; };
transfer-source 192.0.2.9 port 53;
notify-source 192.0.2.9 port 53;

and attempt to run multiple queries against 192.0.2.9:53.

What is the current bug behavior?

Unanswered DNS queries.

What is the expected correct behavior?

Answered DNS queries or don't allow the above configuration.

Edited by Evan Hunt
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information