It happens on all of our DNS servers. We have 6 servers run RHEL 4.4 or Centos 5. This error appears more frequently on servers with high load. I saw the same problem with BIND 9.6. That is the reason why I stay with 9.4.2 as long as I can.
Performance is acceptable with 9.4.2 P2. I will try the workaround to see if it work. Another workaround that I'm trying is patching the 9.4.2 P2 version with this: --- bind-9.4.2-P2/bin/named/update.c (original) +++ bind-9.4.2-P2/bin/named/update.c (Dynamic Update DoS security update) @@ -861,7 +861,11 @@ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) covers = dns_rdata_covers(&t->rdata); - else + else if (type == dns_rdatatype_any) { + dns_db_detachnode(db, &node); + dns_diff_clear(&trash); + return (DNS_R_NXRRSET); + } else covers = 0; /* BTW, what can I do to help debugging this problem? If it doesn't involve with programming I will try. Regards, Vu 2009/7/31 JINMEI Tatuya / 神明達哉 <jin...@isc.org> > > At Thu, 30 Jul 2009 22:16:47 +0700, > Le Vu <lev....@gmail.com> wrote: > > > I have updated BIND from 9.4.2-P2 to 9.4.3-P3 to mitigate the Dynamic Update > > DOS attack. I have noted a lot of errors from socket.c (which I have never > > seen before with v9.4.2) > > > > Jul 30 06:25:18 DNS1 named[25555]: socket.c:4524: unexpected error: > > Jul 30 06:25:18 DNS1 named[25555]: 22/Invalid argument > > > > There are also some of these errors: > > Jul 30 07:26:17 DNS1 named[25555]: sockmgr 0xb7f05008: maximum number of FD > > events (64) received > > > > BIND is compiled with following option on Centos 5.3 (another machine with > > RHEL 4.4 has these error too): > > ./configure --disable-openssl-version-check --with-openssl=no > > > > What should I do: > > - go back to 9.4.2-P2 and use iptables to filter DNS update packet > > - use another version of BIND > > - ignore the error > > If you didn't have a performance problem with 9.4.2-P2, please try > rebuilding 9.4.3-P3 with --disable-epoll as a workaround. > > We've heard the problem you saw several times: > https://lists.isc.org/pipermail/bind-users/2009-April/076026.html > https://lists.isc.org/pipermail/bind-users/2009-May/076265.html > but haven't figured out the cause of that. While it doesn't seem to > be super rare, it doesn't seem to be so common...I myself have never > seen this on my Linux test box, and many other Linux users apparently > don't have this problem either (otherwise we'd have got this report > much more frequently). If you're willing to help debug this problem > (even if the workaround works), that would be great. > > Thanks, > > --- > JINMEI, Tatuya > Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users