Package: bind9
Version: 1:9.16.13-1
Severity: normal
May 2 16:38:37 sjl named[7372]: listening on IPv4 interface lo, 127.0.0.1#53
May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.2.45#53
May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.1#53
May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.2#53
May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4, 10.0.40.3#53
[...]
May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.47.0#53
May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.48.0#53
May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4, 10.0.49.0#53
May 2 16:39:33 sjl named[7372]: listening on IPv6 interface lo, ::1#53
On a system with 2560 extra IPv4 addresses for test purposes a default
configuration of bind9 takes one minute on a reasonably fast 64bit system (two
E5-2620 CPUs). See the above for example startup log entries.
May 2 16:39:36 sjl named[7372]: zone localhost/IN: loaded serial 2
May 2 16:39:36 sjl named[7372]: all zones loaded
May 2 16:39:36 sjl named[7372]: running
May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit
(123273/21000)
May 2 16:39:36 sjl named[7372]: managed-keys-zone: Unable to fetch DNSKEY set
'.': not enough free resources
May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit
(123273/21000)
Then the startup doesn't complete properly with errors like the above.
OPTIONS="-u bind -S 150000"
Putting something like the above in /etc/default/named fixes the errors, but
it still takes a long time and really 150,000 file handles shouldn't be
required for 2560 IP addresses.
listen-on { 10.0.2.45; };
Putting the above in named.conf.options got it to work correctly in this
regard. But I expect it to not use unreasonable amounts of resources without
that configuration.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/24 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages bind9 depends on:
ii adduser 3.118
ii bind9-libs 1:9.16.13-1
ii bind9-utils 1:9.16.13-1
ii debconf [debconf-2.0] 1.5.75
ii dns-root-data 2021011101
ii init-system-helpers 1.60
ii iproute2 5.10.0-4
ii libc6 2.31-11
ii libcap2 1:2.44-1
ii libfstrm0 0.6.0-1+b1
ii libjson-c5 0.15-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.5.2-1
ii libprotobuf-c1 1.3.3-1+b2
ii libssl1.1 1.1.1k-1
ii libuv1 1.40.0-1
ii libxml2 2.9.10+dfsg-6.3+b1
ii lsb-base 11.1.0
ii netbase 6.3
ii zlib1g 1:1.2.11.dfsg-2
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.16.13-1
ii dnsutils 1:9.16.13-1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//include "/etc/bind/named.conf.postal";
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on { 10.0.2.45; };
listen-on-v6 { any; };
};
/etc/default/named changed:
RESOLVCONF=no
OPTIONS="-u bind"
-- debconf information:
bind9/start-as-user: bind
bind9/different-configuration-file:
bind9/run-resolvconf: false
