xfrm_larval_drop required for bind over ipsec
Matt LaPlante
cyberdog3k at gmail.com
Fri Apr 18 14:18:38 UTC 2008
I wanted to follow up on a problem originally reported in this thread
[http://marc.info/?t=119826505600004&r=1&w=2]. Running bind 9.4.1,
when zone transfers are to happen over an ipsec connection, but the
ipsec connection goes away, named effectively stops working on all
interfaces.
After tracking down a redhat bug that confirmed the issue
[https://bugzilla.redhat.com/show_bug.cgi?id=427629] I forwarded the
problem on to the lkml, and David Miller quickly suggested the
following [http://lkml.org/lkml/2008/4/17/478]:
echo "1" >/proc/sys/net/core/xfrm_larval_drop
This does appear to fix the issue. The problem is that
xfrm_larval_drop defaults to 0 in newer kernels, which apparently
causes io over an ipsec connection block when the link is unavailable.
It would seem bind, at least as of 9.4.1, does not anticipate this
behavior, and hangs rather dramatically in the process.
-
Matt LaPlante
More information about the bind-users
mailing list