[RPZ] RPZ &/or RL patches still needed for 9.9.3?

Vernon Schryver vjs at rhyolite.com
Wed May 29 16:55:48 UTC 2013

> From: darx+dnsrpz at sent.com

> if I plan to upgrade to 9.9.3, and want the 'same level of
> functionality' (wrt RPZ & RLL) I've had with 9.9.2-P2 + the combined
> patch referenced above,

You didn't say which combined 9.9.2-P2 patch you have been using.
There are two sets of combined patches, "Single Zone Response Policy
Zone (RPZ) Speed Improvement with RRL" and "Multiple Zone Response
Policy Zone (RPZ2) Speed Improvement with RRL".

>                         do I need to (eventually) patch 9.9.3 ?  or,
> moving forward, are the patches only for new/additionally functionality
> beyond what's already been integrated/implemented in 9.9.3?

There is no RRL support in the 9.9.3.  I think RRL is in a current or
forthcoming subscription release.  See

BIND 9.9.3 includes the single zone RPZ speed improvments but not
the multiple zone speed improvements.  That is why among the "Separate
Single Zone Response Policy Zone (RPZ) Speed Improvement Patches" and
under the link to the BIND9 9.9.3rc2 source, there is the note
"contains the single zone RPZ speed improvements"

I expect a future RRL+RPZ patch for 9.9.3 to contain the previous
multiple policy zone speed improvements, client-ID triggers, response
dropping policies, and RRL.

> i'm trying to better understand 9.9.3's requirements & behavior to
> troubleshoot my 1st experience with it ... a 9.9.3 build from source
> went without a hitch, but *launching* it logs just a couple of RPZ zone
> errors and an almost immediate "BUG: soft lockup - CPU#0 stuck for ...
> seconds" error that kills any further logging, and prevents me from even
> s/w rebooting the box, requiring a hardware power toggle.
> drop back to a 9.9.2-P2+patch build/install/launch gets me back to a
> perfectly working state.

It is an egregious kernel bug to allow any application to lock up a
system, no matter what stupid, wrong craziness is done by the application.
That said, you might want to file a bug report 
https://www.isc.org/software/bind/news suggests bind9-bugs at isc.org

Trying "beta" and "release candidiate" releases is a good thing.  Fixes
are easier for everyone including those who try the pre-releases when
problems are found before official releases.

It might be good to check for errors in permissions and ownership
of /etc/namedb, log files and directories, slave and master
directories, and so forth  I've seen a complaint about some version
of BIND responding poorly and with far too much effort to bad
permissions or ownership on the files or directories it changes.
I don't remember when or where I saw the report or whether it was
about current or past versions.  I only skimmed it enough to see
that it didn't seem relevant to my concerns.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list