bind 9.16 vs. 9.14 tcp client connections
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon Apr 13 18:43:07 UTC 2020
Hello all,
I believe this problem should be fixed in 9.16.1:
5361. [bug] named might not accept new connections after
hitting tcp-clients quota. [GL #1643]
However, we had two authoritative name servers running 9.16.1 which
stopped accepting new TCP connections after the tcp-clients quota was
reached. This is indicated when running "rndc status" and checking "TCP
high-water" or in the bind logs:
general: error: TCP connection failed: quota reached
It looks like "tcp-clients" quota is per server address. It only stopped
accepting new TCP connections for "some" server addresses. Where "some"
address is the server address for which the quota was reached. For
example, one server had dual stack and it only affected IPv4.
I had a look at the PCAP, DSC statistics and graphs plotted from bind
statistics server. In all cases, I have no explanation why the
tcp-clients quota was reached at all. TCP query volume seems normal
(low) until the quota is reached and then it drops even more.
Daniel
On 06.03.20 02:52, Michael McNally wrote:
> Hello --
>
> Subscribers who are also subscribed to the bind-announce list will now
> have received our Operational Notification concerning this issue.
> If you're not a subscriber to that list.. why not? (it's low
> traffic and only carries important announcements, generally about releases
> and security issues). But in any case you can view the Operational Notification
> via the list archives:
>
> https://lists.isc.org/pipermail/bind-announce/2020-March/001150.html
>
> or via our knowledge base:
>
>
> https://kb.isc.org/docs/operational-notification-an-error-in-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160
>
> The short version, though, is that we introduced a problem with TCP client
> quota enforcement during the later releases of the 9.15 development branch
> which was not noticed until 9.16.0. A fix is available and a patch diff can
> be found linked from either version of the Operational Notification links
> above.
>
> Apologies,
>
> Michael McNally
> ISC Support
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list