Wednesday Aug 26, 2009

BIND 9.3.6 and beyond require poll

BIND 9.3.6-P1 requires poll(7d) to improve networking performance which was very badly impacted by the changes applied to BIND to help fight of attack from the Kaminsky issue, Sun Alert 239392.

If BIND's named process is running within a chroot(2) environment then that environment requires the poll device to be installed. Though I recommend using zones(5) and Role-Based Access Control, rbac(5), rather than chroot environments which does then avoid this issue.

Example 1: missing poll device:

# /usr/sbin/named -t /var/named -u dns -f -g
31-Jan-2009 21:07:16.697 starting BIND 9.3.6 -t /var/named -u dns -f -g
31-Jan-2009 21:07:16.697 found 8 CPUs, using 8 worker threads
31-Jan-2009 21:07:16.715 socket.c:3259: unexpected error:
31-Jan-2009 21:07:16.715 open(/dev/poll) failed: No such file or directory
31-Jan-2009 21:07:16.715 ./main.c:495: unexpected error:
31-Jan-2009 21:07:16.715 isc_socketmgr_create() failed: file not found
31-Jan-2009 21:07:16.715 create_managers() failed: unexpected error
31-Jan-2009 21:07:16.715 exiting (due to early fatal error)

The '-t /var/named' option causes named to use the /var/named as the chroot directory. Named is unable to continue because the required device /dev/poll is missing.

To address the missing poll device simply create it:

Example 2: Create poll device with same properties as root (/) device using mknod(1M)

   # ls -ld /devices/pseudo/poll@0:poll
   crw-rw-rw-  1 root  sys  138, 0 May 28 04:25 /devices/pseudo/poll@0:poll
   # cd /var/named/dev
   # ls
   null    random
   # mknod poll c 138 0
   # chmod 666 poll

If using SMF remember to clear and re-enable the service: 

   # svcadm clear svc:/network/dns/server:default
   # svcadm enable svc:/network/dns/server:default

See also CR 6799867

Posted on: Aug 26, 2009

Posted by: ace

Category: BIND

Tags:

Permanent link to this entry | Comments [0]

Monday Sep 10, 2007

BIND 9.3.4-P1 available with Solaris 10

An upgrade to BIND 9.3.4-P1 is available for Solaris 10 Operating Environment by installing patch 119783-05 for SPARC or 119784-05 for x86 architectures.

BIND 9.3.4 provided a number of new features over BIND 8 which was supplied with the Solaris 8 and 9 Operating Environments. Additionally BIND 9.3.4 provides a number of compatibility features not available in BIND 9.2.4 (the FCS version of BIND in Solaris 10 OE). For details of all the changes refer to the migration notes.

Summary of Differences between BIND 9.3 from BIND 9.2

BIND 9.3 has a number of new features over 9.2 including:

  • DNSSEC is now Delegation Signer (DS) based, RFC4033, RFC4034 and RFC4035. This collection of RFCs is otherwise known as DNSSEC-bis.

  • DNSSEC Look-aside Validation (DLV) (experimental), RFC4431

  • check-names is now implemented.

  • rrset-order is more complete.

  • IPv4/IPv6 transition support, "dual-stack-servers".

  • IXFR deltas can now be generated when loading master files, "ixfr-from-differences".

  • It is now possible to specify the size of a journal, "max-journal-size".

  • It is now possible to define a named set of master servers to be used in masters clause, "masters".

  • The advertised EDNS UDP size can now be set, "edns-udp-size".

  • New Name Server SMF properties. With the introduction of BIND 9.3.4 new Name Server smf(1) properties have been introduced to provide an SMF compliant method for setting BIND 9.3.4 command line options. Changing the "start method" property of the BIND 9 service is no longer recommended.

For further information refer to the migration notes as above.

Posted on: Sep 10, 2007

Posted by: ace

Category: BIND

Tags:

Permanent link to this entry | Comments [4] | Comments have been disabled.

Thursday May 25, 2006

ip6.int is dead, long live ip6.arpa

The Internets IPv6 inverse domain name is officially changing as of 1st June 2006 from ip6.int to ip6.arpa, but whats in a name?[Read More]

Posted on: May 25, 2006

Posted by: ace

Category: Solaris

Tags:

Permanent link to this entry | Comments [0] | Comments have been disabled.

This blog copyright 2009 by ace