TCP_FASTOPEN

megapearl

Member

Reaction score: 8
Messages: 86

Hi,

Bind is flooding the logs with:

Code:
<daemon.err> mainserver named[46536]: setsockopt(26, TCP_FASTOPEN) failed with Protocol not available
What does it mean? is it a kernel option which is disabled?

Code:
[cmd]uname -a[/cmd]
FreeBSD mainserver.flissinger.local 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #66: Fri Jan 13 17:43:28 CET 2017     donald@mainserver.flissinger.local:/usr/obj/usr/src/sys/MAINSERVER  amd64
Code:
[cmd]pkg info bind911[/cmd]
bind911-9.11.0P2_1
Name           : bind911
Version        : 9.11.0P2_1
Installed on   : Thu Jan 12 21:44:08 2017 CET
Origin         : dns/bind911
Architecture   : freebsd:11:x86:64
Prefix         : /usr/local
Categories     : net dns ipv6
Licenses       : MPL
Maintainer     : mat@FreeBSD.org
WWW            : https://www.isc.org/software/bind
Comment        : BIND DNS suite with updated DNSSEC and DNS64
Options        :
        DLZ_BDB        : off
        DLZ_FILESYSTEM : on
        DLZ_LDAP       : off
        DLZ_MYSQL      : on
        DLZ_POSTGRESQL : off
        DLZ_STUB       : off
        DNSTAP         : off
        DOCS           : off
        FILTER_AAAA    : on
        FIXED_RRSET    : on
        GEOIP          : on
        GOST           : on
        GOST_ASN1      : off
        GSSAPI_BASE    : off
        GSSAPI_HEIMDAL : off
        GSSAPI_MIT     : on
        GSSAPI_NONE    : off
        IDN            : on
        IPV6           : on
        JSON           : on
        LARGE_FILE     : on
        LMDB           : on
        MINCACHE       : off
        NATIVE_PKCS11  : off
        PORTREVISION   : off
        PYTHON         : off
        QUERYTRACE     : off
        RPZ_NSDNAME    : on
        RPZ_NSIP       : on
        SIGCHASE       : on
        SSL            : on
        START_LATE     : off
        THREADS        : on
Shared Libs required:
        libcom_err.so.3.0
        libgssapi_krb5.so.2.2
        libk5crypto.so.3.1
        libmysqlclient.so.18
        libkrb5.so.3.3
        libidnkit.so.1
        liblmdb.so.0
        libGeoIP.so.1
        libjson-c.so.2
        libedit.so.0
        libxml2.so.2
        libcrypto.so.9
Annotations    :
        cpe            : cpe:2.3:a:isc:bind:9.11.0:p2::::freebsd11:x64:1
Flat size      : 55.7MiB
Description    :
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
     e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support

See the CHANGES file for more information on new features.

WWW: https://www.isc.org/software/bind
It's the same as https://forums.freebsd.org/threads/59348/ but with another bind version.
How to enable TCP_FASTOPEN in FreeBSD or how to disable it in bind?

Who can help me out?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,793
Messages: 33,081

Had to look for it, both 10.3 and 11.0 should have the option but it's turned off by default:
https://svnweb.freebsd.org/base?view=revision&revision=292706

The code refers to several new sysctl(8) and options, these are probably the most important:
Code:
 * This implementation is currently considered to be experimental and is not
 * included in kernel builds by default.  To include this code, add the
 * following line to your kernel config:
 *
 * options TCP_RFC7413
Code:
net.inet.tcp.fastopen.enabled (RW, default 0)
	 *     When zero, no new TFO connections can be created.  On the transition
	 *     from enabled to disabled, all installed keys are removed.  On the 
	 *     transition from disabled to enabled, if net.inet.tcp.fastopen.autokey
	 *     is non-zero and there are no keys installed, a new key will be 
	 *     generated immediately.  The transition from enabled to disabled does
	 *     not affect any TFO connections in progress; it only prevents new ones
	 *     from being made.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,793
Messages: 33,081

Nice, good to know as I may upgrade BIND in the near future. But first I have to deal with migrating a bunch of servers from MySQL 5.5 to 5.7 and Apache 2.2 to 2.4.
 

wmoreno3

Member

Reaction score: 6
Messages: 81

Code:
root@server:~ # [CMD]uname -a[/CMD]
FreeBSD mydomain 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #0: Sun Mar  5 21:18:10 COT 2017     root@mydomain:/usr/obj/usr/src/sys/MYKERNEL  amd64
root@server:~ #
No errors from bind911 on FreeBSD 11.0.
Code:
root@server:~ # [CMD]pkg info | grep bind[/CMD]
bind911-9.11.0P3               BIND DNS suite with updated DNSSEC and DNS64
root@server:~ # [CMD]cat /etc/sysctl.conf | grep enable[/CMD]
net.inet.tcp.fastopen.enabled=1
root@server:~ # [CMD]sysctl net.inet.tcp.fastopen.enabled=1[/CMD]
net.inet.tcp.fastopen.enabled: 1 -> 1
root@server:~ #
 

wmoreno3

Member

Reaction score: 6
Messages: 81

Code:
Mar  6 17:28:24 server named[595]: socket.c:5681: unexpected error:
Mar  6 17:28:24 server named[595]: setsockopt(66, TCP_FASTOPEN) failed with Protocol not available
In order to save time and effort I added " options TCP_RFC7413" to " /boot/loader.conf", how megapearl suggested. When server reloads displayed the same error... and I must be to compiled my kernel again.

Reference to:
Code:
TFO TCP Fast Open TCP_RFC7413
I followed these steps suggested on "https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html" and adapted by me in order to build my custom kernel.
cd /usr/src/sys/amd64/conf
cp GENERIC TCPOPEN
mv TCPOPEN /root/kernels/TCPOPEN
ln -s /root/kernels/TCPOPEN
cd /root/kernels/
vi TCPOPEN

Next I added to the end of file:
Code:
# TFO TCP Fast Open TCP_FASTOPEN
options         TCP_RFC7413
cd /usr/src
make buildkernel KERNCONF=TCPOPEN

Code:
objcopy --only-keep-debug zlib.ko.full zlib.ko.debug
objcopy --strip-debug --add-gnu-debuglink=zlib.ko.debug  zlib.ko.full zlib.ko
--------------------------------------------------------------
>>> Kernel build for TCPOPEN completed on Mon Mar  6 17:50:22 COT 2017
--------------------------------------------------------------
root@server:/usr/src #
make installkernel KERNCONF=TCPOPEN
Code:
install -T debug -o root -g wheel -m 555   zlib.ko.debug /usr/lib/debug/boot/kernel/
kldxref /boot/kernel
root@server:/usr/src #
root@server:~/kernels #
[CMD]uname -a[/CMD]
FreeBSD mydomain 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #1: Mon Mar  6 17:39:37 COT 2017     root@mydomain:/usr/obj/usr/src/sys/TCPOPEN  amd64
 
Last edited:

wmoreno3

Member

Reaction score: 6
Messages: 81

So wmoreno3 FreeBSD 11.0 doesn't work with bind911 with GENERIC kernel?
This issue only applies to
Code:
TCP_FASTOPEN
protocol. I have at home an Intel Server as a Gateway based on FreeBSD 11.0, and I do not have any problems to test it, but in production you must to take care.
Code:
bind911-9.11.0P3
runs fine with my FreeBSD Generic Kernel, except by the issue. For now.
 

wmoreno3

Member

Reaction score: 6
Messages: 81

It seems that this issue with
Code:
TCP_FASTOPEN
finish, I did not need to rebuilt again my kernel when I ran
Code:
freebsd-update fetch install
Code:
root@server:~ # uname -a
FreeBSD mydomain 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #3: Wed Feb 14 05:28:12 -05 2018     root@mydomain:/usr/obj/usr/src/sys/TCPOPEN  amd64
root@server:~ # pkg info | grep bind9
bind911-9.11.3_1               BIND DNS suite with updated DNSSEC and DNS64
Thanks all.
 
Top