Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing"

Mukund Sivaraman muks at mukund.org
Sat Apr 27 00:33:22 UTC 2019 

On Fri, Apr 26, 2019 at 10:08:43PM +0200, Havard Eidnes via bind-users wrote:
> > (2) We'll look at tweaking this log message, but if you want to just not
> > see this log message, just recompile after removing the offending CTRACE
> > statement from bin/named/query.c. In fact, this code is normally enabled
> > when configured with --enable-querytrace. Do you have query tracing
> > configured? Is seeing this additional log message so inconvenient then?
> 
> I think there must be something wrong with the log message.  It
> seems excessive to log this message about once per query,
> especially since it seems to (misleadingly?) indicate an error
> condition?  I'm not intimate enough with the code to suggest what
> the exact problem is, though.
> 
> And ... as stated, configuring without --enable-querytrace
> removes the log message.

I can't speak for ISC BIND 9 (you seem to have mailed my old email
address), but --enable-querytrace was not meant to be used in
production. One should expect to observe excessive logging when it is
configured so, because that's what the configure argument implies
("perform abundant logging about query processing even if it hurts
performance").

To summarize, the log message is that the code has observed something
unexpected (the carpet has been pulled from under it) but it copes with
it. Perhaps the logging call can be removed from the code.

In more detail, BIND uses a per-view RPZ summary data structure from the
contents of response policy zones configured within that view. The
summary datastructure is a singular combination of the contents of all
the RPZ zones from that view, so that queried names can be efficiently
matched against RPZ triggers in the query path. The summary
datastructure is built and updated when the RPZ zones it is dependent on
are updated. The logged message complains that the RPZ summary
datastructure is out-of-sync with the RPZ zones, and so named was not
able to lookup the action for a trigger from the RPZ zone it was looking
at. In this case, named tries to continue from the next matching zone in
precedence.

		Mukund

More information about the bind-users mailing list