BIND starting before network is completely online
Summary
On system boot, BIND is attempting to start before network services are completely online
BIND version used
BIND 9.18.19 (Extended Support Version) <id:c78cd36>
running on Linux x86_64 5.14.0-284.25.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 20 09:11:28 EDT 2023
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error' '--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -L/opt/isc/isc-bind/root/usr/lib64' 'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.18.19/sphinx/bin/sphinx-build'
compiled by GCC 11.3.1 20221121 (Red Hat 11.3.1-4)
compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
Steps to reproduce
Using RHEL 9.2:
- add additional IPv4 addresses to the system's default interface
- Install latest BIND from ISC COPR repo
- Make sure that BIND will start on boot: systemctl enable isc-bind-named
- Use views in the named.conf that "match-destinations" to one or more of the additional IPv4 addresses in step 1
- Reboot the OS
What is the current bug behavior?
BIND fails to start on boot. Error messages include (from /var/log/messages file):
could not get query source dispatcher (<ip-mentioned-in-step1-reproduce>#0)
loading configuration: address not available
exiting (due to fatal error)
What is the expected correct behavior?
I expect isc-bind-named to start on system boot, after the network addresses are completely online.
Relevant configuration files
Sample /etc/sysconfig/network-scripts/ifcfg-eth0 file:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
IPADDR=<primary-IPv4-address>
PREFIX=24
NETMASK=255.255.255.0
IPADDR1=<secondary-IPv4-address-in-same-subnet>
PREFIX1=24
NETMASK1=255.255.255.0
Sample /etc/opt/isc/scls/isc-bind/named.conf file (view portion):
view "my-view" {
match-destinations {
<secondary-IPv4-address>;
};
notify-source <secondary-IPv4-address>;
transfer-source <secondary-IPv4-address>;
query-source <secondary-IPv4-address>;
recursion yes;
minimal-responses yes;
allow-query { any; };
};
Possible fixes
The problem is in the /usr/lib/systemd/system/isc-bind-named.service file. The first two lines are currently:
[Unit]
After=network.target
A workaround is to:
- Create a directory: /etc/systemd/system/isc-bind-named.service.d
- Create a supplemental conf file in the above directory (must have the suffix ".conf") EXAMPLE: 00-latestart.conf:
[Unit]
After=network-online.target
This overrides the isc-bind-named.service file setting of "After=network.target", and changes the setting to "After=network-online.target". This will correctly wait until all interfaces are configured and online before attempting to start BIND.
It should be noted that one can temporarily achieve the same outcome by manually editing the /usr/lib/systemd/system/isc-bind-named.service file, but the change will be overwritten the next time the package is updated.
I would respectfully encourage a permanent change to the isc-bind-named.service file to change the "After" value to "network-online.target".