Bind is flooding the logs with:

<daemon.err> mainserver named[46536]: setsockopt(26, TCP_FASTOPEN) failed with Protocol not available

What does it mean? is it a kernel option which is disabled?

[cmd]uname -a[/cmd]
FreeBSD mainserver.flissinger.local 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #66: Fri Jan 13 17:43:28 CET 2017     donald@mainserver.flissinger.local:/usr/obj/usr/src/sys/MAINSERVER  amd64

[cmd]pkg info bind911[/cmd]
Name           : bind911
Version        : 9.11.0P2_1
Installed on   : Thu Jan 12 21:44:08 2017 CET
Origin         : dns/bind911
Architecture   : freebsd:11:x86:64
Prefix         : /usr/local
Categories     : net dns ipv6
Licenses       : MPL
Maintainer     :
WWW            :
Comment        : BIND DNS suite with updated DNSSEC and DNS64
Options        :
        DLZ_BDB        : off
        DLZ_FILESYSTEM : on
        DLZ_LDAP       : off
        DLZ_MYSQL      : on
        DLZ_POSTGRESQL : off
        DLZ_STUB       : off
        DNSTAP         : off
        DOCS           : off
        FILTER_AAAA    : on
        FIXED_RRSET    : on
        GEOIP          : on
        GOST           : on
        GOST_ASN1      : off
        GSSAPI_BASE    : off
        GSSAPI_HEIMDAL : off
        GSSAPI_MIT     : on
        GSSAPI_NONE    : off
        IDN            : on
        IPV6           : on
        JSON           : on
        LARGE_FILE     : on
        LMDB           : on
        MINCACHE       : off
        NATIVE_PKCS11  : off
        PORTREVISION   : off
        PYTHON         : off
        QUERYTRACE     : off
        RPZ_NSDNAME    : on
        RPZ_NSIP       : on
        SIGCHASE       : on
        SSL            : on
        START_LATE     : off
        THREADS        : on
Shared Libs required:
Annotations    :
        cpe            : cpe:2.3:a:isc:bind:9.11.0:p2::::freebsd11:x64:1
Flat size      : 55.7MiB
Description    :
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
     e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support

See the CHANGES file for more information on new features.


It's the same as but with another bind version.
How to enable TCP_FASTOPEN in FreeBSD or how to disable it in bind?

Who can help me out?
Had to look for it, both 10.3 and 11.0 should have the option but it's turned off by default:

The code refers to several new sysctl(8) and options, these are probably the most important:
 * This implementation is currently considered to be experimental and is not
 * included in kernel builds by default.  To include this code, add the
 * following line to your kernel config:
 * options TCP_RFC7413

net.inet.tcp.fastopen.enabled (RW, default 0)
	 *     When zero, no new TFO connections can be created.  On the transition
	 *     from enabled to disabled, all installed keys are removed.  On the 
	 *     transition from disabled to enabled, if net.inet.tcp.fastopen.autokey
	 *     is non-zero and there are no keys installed, a new key will be 
	 *     generated immediately.  The transition from enabled to disabled does
	 *     not affect any TFO connections in progress; it only prevents new ones
	 *     from being made.
Nice, good to know as I may upgrade BIND in the near future. But first I have to deal with migrating a bunch of servers from MySQL 5.5 to 5.7 and Apache 2.2 to 2.4.
root@server:~ # [CMD]uname -a[/CMD]
FreeBSD mydomain 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #0: Sun Mar  5 21:18:10 COT 2017     root@mydomain:/usr/obj/usr/src/sys/MYKERNEL  amd64
root@server:~ #
No errors from bind911 on FreeBSD 11.0.
root@server:~ # [CMD]pkg info | grep bind[/CMD]
bind911-9.11.0P3               BIND DNS suite with updated DNSSEC and DNS64
root@server:~ # [CMD]cat /etc/sysctl.conf | grep enable[/CMD]
root@server:~ # [CMD]sysctl net.inet.tcp.fastopen.enabled=1[/CMD]
net.inet.tcp.fastopen.enabled: 1 -> 1
root@server:~ #
Mar  6 17:28:24 server named[595]: socket.c:5681: unexpected error:
Mar  6 17:28:24 server named[595]: setsockopt(66, TCP_FASTOPEN) failed with Protocol not available
In order to save time and effort I added " options TCP_RFC7413" to " /boot/loader.conf", how megapearl suggested. When server reloads displayed the same error... and I must be to compiled my kernel again.

Reference to:
TFO TCP Fast Open TCP_RFC7413
I followed these steps suggested on "" and adapted by me in order to build my custom kernel.
cd /usr/src/sys/amd64/conf
mv TCPOPEN /root/kernels/TCPOPEN
ln -s /root/kernels/TCPOPEN
cd /root/kernels/

Next I added to the end of file:
options         TCP_RFC7413
cd /usr/src
make buildkernel KERNCONF=TCPOPEN

objcopy --only-keep-debug zlib.ko.full zlib.ko.debug
objcopy --strip-debug --add-gnu-debuglink=zlib.ko.debug  zlib.ko.full zlib.ko
>>> Kernel build for TCPOPEN completed on Mon Mar  6 17:50:22 COT 2017
root@server:/usr/src #
make installkernel KERNCONF=TCPOPEN
install -T debug -o root -g wheel -m 555   zlib.ko.debug /usr/lib/debug/boot/kernel/
kldxref /boot/kernel
root@server:/usr/src #
root@server:~/kernels #
[CMD]uname -a[/CMD]
FreeBSD mydomain 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #1: Mon Mar  6 17:39:37 COT 2017     root@mydomain:/usr/obj/usr/src/sys/TCPOPEN  amd64
Last edited:
So wmoreno3 FreeBSD 11.0 doesn't work with bind911 with GENERIC kernel?

This issue only applies to
protocol. I have at home an Intel Server as a Gateway based on FreeBSD 11.0, and I do not have any problems to test it, but in production you must to take care.
runs fine with my FreeBSD Generic Kernel, except by the issue. For now.
It seems that this issue with
finish, I did not need to rebuilt again my kernel when I ran
freebsd-update fetch install
root@server:~ # uname -a
FreeBSD mydomain 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #3: Wed Feb 14 05:28:12 -05 2018     root@mydomain:/usr/obj/usr/src/sys/TCPOPEN  amd64
root@server:~ # pkg info | grep bind9
bind911-9.11.3_1               BIND DNS suite with updated DNSSEC and DNS64
Thanks all.