Problem upgrading 9.18 to 9.20: dnstap doesnt work

Peter 'PMc' Much Fri, 26 Jun 2026 17:10:04 -0700


A while back I upgraded an internal server from 9.18 to 9.20.
Everything works fine there.


Now I upgraded a public server (rented KVM). Same config, same
infrastructure. It probably works, but there is no dnstap output, so I
am blind. 

I put a hexdump on the socket like so (before starting named):

root@wand:/tmp # /usr/bin/stdbuf -o 0 /usr/local/bin/fstrm_capture \
   -t protobuf:dnstap.Dnstap -u /var/named//var/run/dnstap.sock -w - | hd
fstrm_capture: opening Unix socket path /var/named//var/run/dnstap.sock
fstrm_capture: opened output file -
00000000  00 00 00 00 00 00 00 22  00 00 00 02 00 00 00 01  |......."........|
00000010  00 00 00 16 70 72 6f 74  6f 62 75 66 3a 64 6e 73  |....protobuf:dns|

And that is all that appears.
I delete 9.20 and reinstall/restart 9.18, and immediately some
proper hexdump output follows up. 

Other approach: I change the config file from
        dnstap-output unix "/var/run/dnstap.sock";
        dnstap { all; };
to some file output - and that file appears and grows along with
apparently proper data. But that is not what I need.

So what is wrong here?
The fstrm/protobuf/libraries stuff apparently not, otherwise
it wouldnt be able to write the data to file output.
The socket/permissions/fstrm_capture stuff apparently not, otherwise
9.18 wouldn't work for 9.18 within the same invocation.
The infrastructure/OS/configuration/9.20 stuff apparently not,
otherwise it wouldn't work nicely on the internal machine.

What remains?

Cross-check:
1. try installing the binary from the internal machine -> doesn't
   run (illegal instruction) - that one is compiled for Haswell,
   and apparently the KVM cannot do that (I have no idea what the
   KVM actually is, so I compile it for "x86-64").
2. try the other way round. That works! And it produces dnstap
   output! So the problem is not with the binary, it's with the
   machine.

What has been changed between 9.18 and 9.20, so on a rented KVM
running FreeBSD 14 it does no longer write dnstap to a unixsocket?

I tried debugging, but the "dnstap" channel writes an occasional
"closing dnstap" and not more, and  "-d 99 -g" writes some line
"opening dnstap destination '/var/run/dnstap.sock'" - and that's
it.

I had a glance into dns/dnstap.c - but it doesn't look really
inviting in these days at 38°C ambient - so this is a showstopper
for now.
Any creative ideas to shorten that path are greatly welcomed.


In case this might be of interest:

<13>1 2026-06-27T01:15:19.835699+02:00 wand.daemon.contact pkg 7616 - - 
bind920-9.20.24 installed
<29>1 2026-06-27T01:15:29.072644+02:00 wand.daemon.contact named 7720 - - 
starting BIND 9.20.24 (Stable Release) <id:>
<29>1 2026-06-27T01:15:29.073199+02:00 wand.daemon.contact named 7720 - - 
running on FreeBSD amd64 14.4-RELEASE-p6 FreeBSD 14.4-RELEASE-p6 
[430b8c6c5d2f=3d95ec875867+55] M6R14V1
<29>1 2026-06-27T01:15:29.073222+02:00 wand.daemon.contact named 7720 - - built 
with  '--enable-dnsrps' '--localstatedir=/var' 
'--sysconfdir=/usr/local/etc/namedb' '--with-openssl=/usr' 
'--with-readline=libedit' '--disable-tracing' '--enable-dnstap' 
'--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' 
'--without-gssapi' '--with-libidn2=/usr/local' '--disable-largefile' 
'--without-lmdb' '--disable-querytrace' '--with-json-c' '--with-libxml2' 
'--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/share/man' 
'--disable-silent-rules' '--infodir=/usr/local/share/info/' 
'--build=amd64-portbld-freebsd14.4' 'build_alias=amd64-portbld-freebsd14.4' 
'CC=cc' 'CFLAGS=-O2 -pipe -march=x86-64  -DLIBICONV_PLUG 
-fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 
'LDFLAGS= -L/usr/local/lib -ljson-c  ' 'LIBS=-L/usr/local/lib' 
'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 
'PKG_CONFIG=pkgconf' 
'PKG_CONFIG_LIBDIR=/var/local/ports/usr/ports/dns/bind920/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig'
<29>1 2026-06-27T01:15:29.073237+02:00 wand.daemon.contact named 7720 - - 
running as: named -n 1 -S 10000 -t /var/named -u bind -c 
/usr/local/etc/namedb/named.conf
<29>1 2026-06-27T01:15:29.073250+02:00 wand.daemon.contact named 7720 - - 
compiled by CLANG FreeBSD Clang 19.1.7 
(https://github.com/llvm/llvm-project.git llvmorg-19.1.7-0-gcd708029e0b2)
<29>1 2026-06-27T01:15:29.073267+02:00 wand.daemon.contact named 7720 - - 
compiled with OpenSSL version: OpenSSL 3.0.20 7 Apr 2026
<29>1 2026-06-27T01:15:29.073286+02:00 wand.daemon.contact named 7720 - - 
linked to OpenSSL version: OpenSSL 3.0.20 7 Apr 2026
<29>1 2026-06-27T01:15:29.073299+02:00 wand.daemon.contact named 7720 - - 
compiled with libuv version: 1.52.0
<29>1 2026-06-27T01:15:29.073323+02:00 wand.daemon.contact named 7720 - - 
linked to libuv version: 1.52.0
<29>1 2026-06-27T01:15:29.073340+02:00 wand.daemon.contact named 7720 - - 
compiled with liburcu version: 0.15.3
<29>1 2026-06-27T01:15:29.073355+02:00 wand.daemon.contact named 7720 - - 
compiled with system jemalloc version: 2020110501
<29>1 2026-06-27T01:15:29.073368+02:00 wand.daemon.contact named 7720 - - 
compiled with libnghttp2 version: 1.68.1
<29>1 2026-06-27T01:15:29.073390+02:00 wand.daemon.contact named 7720 - - 
linked to libnghttp2 version: 1.68.1
<29>1 2026-06-27T01:15:29.073434+02:00 wand.daemon.contact named 7720 - - 
compiled with libxml2 version: 2.15.2
<29>1 2026-06-27T01:15:29.073451+02:00 wand.daemon.contact named 7720 - - 
linked to libxml2 version: 21502
<29>1 2026-06-27T01:15:29.073464+02:00 wand.daemon.contact named 7720 - - 
compiled with json-c version: 0.18
<29>1 2026-06-27T01:15:29.073492+02:00 wand.daemon.contact named 7720 - - 
linked to json-c version: 0.18
<29>1 2026-06-27T01:15:29.073505+02:00 wand.daemon.contact named 7720 - - 
compiled with zlib version: 1.3.1
<29>1 2026-06-27T01:15:29.073521+02:00 wand.daemon.contact named 7720 - - 
linked to zlib version: 1.3.1
<29>1 2026-06-27T01:15:29.073533+02:00 wand.daemon.contact named 7720 - - 
compiled with protobuf-c version: 1.5.1
<29>1 2026-06-27T01:15:29.073551+02:00 wand.daemon.contact named 7720 - - 
linked to protobuf-c version: 1.5.1
<29>1 2026-06-27T01:15:29.073564+02:00 wand.daemon.contact named 7720 - - 
----------------------------------------------------
<29>1 2026-06-27T01:15:29.073583+02:00 wand.daemon.contact named 7720 - - BIND 
9 is maintained by Internet Systems Consortium,
<29>1 2026-06-27T01:15:29.073604+02:00 wand.daemon.contact named 7720 - - Inc. 
(ISC), a non-profit 501(c)(3) public-benefit
<29>1 2026-06-27T01:15:29.073620+02:00 wand.daemon.contact named 7720 - - 
corporation.  Support and training for BIND 9 are
<29>1 2026-06-27T01:15:29.073641+02:00 wand.daemon.contact named 7720 - - 
available at https://www.isc.org/support
<29>1 2026-06-27T01:15:29.073660+02:00 wand.daemon.contact named 7720 - - 
----------------------------------------------------
<29>1 2026-06-27T01:15:29.073686+02:00 wand.daemon.contact named 7720 - - the 
limit on open files is already at the maximum allowed value: 13860
<29>1 2026-06-27T01:15:29.079561+02:00 wand.daemon.contact named 7720 - - 
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 
ECDSAP384SHA384 ED25519 ED448
<29>1 2026-06-27T01:15:29.079835+02:00 wand.daemon.contact named 7720 - - DS 
algorithms: SHA-1 SHA-256 SHA-384
<29>1 2026-06-27T01:15:29.129151+02:00 wand.daemon.contact named 7720 - - HMAC 
algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
<29>1 2026-06-27T01:15:29.129252+02:00 wand.daemon.contact named 7720 - - TKEY 
mode 2 support (Diffie-Hellman): no
<29>1 2026-06-27T01:15:29.129351+02:00 wand.daemon.contact named 7720 - - TKEY 
mode 3 support (GSS-API): no
<133>1 2026-06-27T01:15:29.143755+02:00 wand.daemon.contact named 7720 - - 
general: notice: command channel listening on 127.0.0.1#953
<133>1 2026-06-27T01:15:29.144040+02:00 wand.daemon.contact named 7720 - - 
general: notice: command channel listening on ::1#953
<133>1 2026-06-27T01:15:29.167735+02:00 wand.daemon.contact named 7720 - - 
general: notice: all zones loaded
<133>1 2026-06-27T01:15:29.169556+02:00 wand.daemon.contact named 7720 - - 
general: notice: FIPS mode is disabled
<133>1 2026-06-27T01:15:29.170705+02:00 wand.daemon.contact named 7720 - - 
general: notice: running

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

Problem upgrading 9.18 to 9.20: dnstap doesnt work

Reply via email to