Missing IPv4 or IPv6 connection and Running BIND on Solaris?

BIND 9’s named(1M) performance can be vastly improved when running on Solaris operating environment where either no IPv4 or no IPv6 connectivity is available.

The issue is documented in the named(1M) manual page:

BUGS
By default, named attempts to contact remote name servers by
either their IPv4 or IPv6 address, even though the host sys-
tem does not have either IPv4 or IPv6 connectivity (that is,
a  configured  and active interface). To address this issue,
either provide the missing connectivity or use the  relevant
-4  or  -6  command  line option. When using svccfg(1M), set
application property options/ip_interfaces to either IPv4 or
IPv6.

Essentially ‘named’ receives both IPv4 and IPv6 addresses for name
servers. As it goes about its business of resolving queries it
attempts to send UDP packets to those addresses. Ideally it would be informed of a missing transport and quickly fail. Alas defect 6320428 “sendto() should return errors up the stack” means that does not happen and thus ‘named’ waits for a response that is never going to come.

As an example, lets take a peek at the root name server addresses using dig (domain Internet Groper):

$ dig . ns
; <> DiG 9.3.6-P1 <> . ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 878
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;.				IN	NS
;; ANSWER SECTION:
.			498528	IN	NS	c.root-servers.net.
.			498528	IN	NS	d.root-servers.net.
.			498528	IN	NS	e.root-servers.net.
.			498528	IN	NS	f.root-servers.net.
.			498528	IN	NS	g.root-servers.net.
.			498528	IN	NS	h.root-servers.net.
.			498528	IN	NS	i.root-servers.net.
.			498528	IN	NS	j.root-servers.net.
.			498528	IN	NS	k.root-servers.net.
.			498528	IN	NS	l.root-servers.net.
.			498528	IN	NS	m.root-servers.net.
.			498528	IN	NS	a.root-servers.net.
.			498528	IN	NS	b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net.	498238	IN	A	198.41.0.4
a.root-servers.net.	195801	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	593090	IN	A	192.228.79.201
c.root-servers.net.	412662	IN	A	192.33.4.12
d.root-servers.net.	592857	IN	A	128.8.10.90
e.root-servers.net.	419480	IN	A	192.203.230.10
g.root-servers.net.	26029	IN	A	192.112.36.4
i.root-servers.net.	592963	IN	A	192.36.148.17
j.root-servers.net.	498528	IN	A	192.58.128.30
j.root-servers.net.	498528	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	593006	IN	A	193.0.14.129
k.root-servers.net.	589950	IN	AAAA	2001:7fd::1
l.root-servers.net.	3378	IN	A	199.7.83.42
l.root-servers.net.	195801	IN	AAAA	2001:500:3::42
;; Query time: 3 msec
;; SERVER: 129.156.86.11#53(129.156.86.11)
;; WHEN: Thu Aug 27 12:53:49 2009
;; MSG SIZE  rcvd: 500

As documented in named(1M) the solution is to enable only IPv4 or IPv6 transports. On Solaris 10 or above this should be accomplished using SMF properties:

Example 1 Configuring named to Transmit Only over IPv4  Net-
works
The following command sequence configures named such that it
will transmit only over IPv4 networks.
# svccfg -s svc:network/dns/server:default setprop \
> options/ip_interfaces=IPv4
# svcadm refresh svc:network/dns/server:default
#

On Solaris 8 or 9 modify init.d(4) script /etc/init.d/inetsvc and append either -4 or -6 to the BIND 9 startup line.

Note BIND 9 should be used as documented in
SunAlert 239392.

For example, the following is a excerpt from a modified /etc/init.d/inetsvc to start named(1M) so that it only uses IPv4 transports:

if [ -f /usr/lib/dns/named -a -f /etc/named.conf ]; then
echo 'starting internet domain name server.'
/usr/lib/dns/named -4&
fi

By limiting ‘named’ to the available transport its performance is vastly improved.

BIND 9.3.6 and beyond require poll

BIND 9.3.6-P1 requires poll(7d) to improve networking performance which was very badly impacted by the changes applied to BIND to help fight of attack from the Kaminsky issue, Sun Alert 239392.

If BIND’s named process is running within a chroot(2) environment then that environment requires the poll device to be installed. Though I recommend using zones(5) and Role-Based Access Control,
rbac(5), rather than chroot environments which does then avoid this issue.

Example 1: missing poll device:

# /usr/sbin/named -t /var/named -u dns -f -g
31-Jan-2009 21:07:16.697 starting BIND 9.3.6 -t /var/named -u dns -f -g
31-Jan-2009 21:07:16.697 found 8 CPUs, using 8 worker threads
31-Jan-2009 21:07:16.715 socket.c:3259: unexpected error:
31-Jan-2009 21:07:16.715 open(/dev/poll) failed: No such file or directory
31-Jan-2009 21:07:16.715 ./main.c:495: unexpected error:
31-Jan-2009 21:07:16.715 isc_socketmgr_create() failed: file not found
31-Jan-2009 21:07:16.715 create_managers() failed: unexpected error
31-Jan-2009 21:07:16.715 exiting (due to early fatal error)

The ‘-t /var/named‘ option causes named to use the /var/named as the chroot directory. Named is unable to continue because the required device /dev/poll is missing.

To address the missing poll device simply create it:

Example 2: Create poll device with same properties as root (/) device using mknod(1M)

# ls -ld /devices/pseudo/poll@0:poll
crw-rw-rw-  1 root  sys  138, 0 May 28 04:25 /devices/pseudo/poll@0:poll
# cd /var/named/dev
# ls
null    random
# mknod poll c 138 0
# chmod 666 poll

If using SMF remember to clear and re-enable the service:

# svcadm clear svc:/network/dns/server:default
# svcadm enable svc:/network/dns/server:default

---

See also CR 6799867