Package: bind9 Version: 1:9.16.13-1 Severity: normal May 2 16:38:37 sjl named[7372]: listening on IPv4 interface lo, 127.0.0.1#53 May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.2.45#53 May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.1#53 May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.2#53 May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.3#53 [...] May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.47.0#53 May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.48.0#53 May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.49.0#53 May 2 16:39:33 sjl named[7372]: listening on IPv6 interface lo, ::1#53
On a system with 2560 extra IPv4 addresses for test purposes a default configuration of bind9 takes one minute on a reasonably fast 64bit system (two E5-2620 CPUs). See the above for example startup log entries. May 2 16:39:36 sjl named[7372]: zone localhost/IN: loaded serial 2 May 2 16:39:36 sjl named[7372]: all zones loaded May 2 16:39:36 sjl named[7372]: running May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit (123273/21000) May 2 16:39:36 sjl named[7372]: managed-keys-zone: Unable to fetch DNSKEY set '.': not enough free resources May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit (123273/21000) Then the startup doesn't complete properly with errors like the above. OPTIONS="-u bind -S 150000" Putting something like the above in /etc/default/named fixes the errors, but it still takes a long time and really 150,000 file handles shouldn't be required for 2560 IP addresses. listen-on { 10.0.2.45; }; Putting the above in named.conf.options got it to work correctly in this regard. But I expect it to not use unreasonable amounts of resources without that configuration. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/24 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages bind9 depends on: ii adduser 3.118 ii bind9-libs 1:9.16.13-1 ii bind9-utils 1:9.16.13-1 ii debconf [debconf-2.0] 1.5.75 ii dns-root-data 2021011101 ii init-system-helpers 1.60 ii iproute2 5.10.0-4 ii libc6 2.31-11 ii libcap2 1:2.44-1 ii libfstrm0 0.6.0-1+b1 ii libjson-c5 0.15-2 ii liblmdb0 0.9.24-1 ii libmaxminddb0 1.5.2-1 ii libprotobuf-c1 1.3.3-1+b2 ii libssl1.1 1.1.1k-1 ii libuv1 1.40.0-1 ii libxml2 2.9.10+dfsg-6.3+b1 ii lsb-base 11.1.0 ii netbase 6.3 ii zlib1g 1:1.2.11.dfsg-2 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc <none> ii bind9-dnsutils [dnsutils] 1:9.16.13-1 ii dnsutils 1:9.16.13-1 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.local changed: // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; //include "/etc/bind/named.conf.postal"; /etc/bind/named.conf.options changed: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on { 10.0.2.45; }; listen-on-v6 { any; }; }; /etc/default/named changed: RESOLVCONF=no OPTIONS="-u bind" -- debconf information: bind9/start-as-user: bind bind9/different-configuration-file: bind9/run-resolvconf: false