From owner-freebsd-stable@FreeBSD.ORG  Mon Jan  9 09:47:53 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35])
	by hub.freebsd.org (Postfix) with ESMTP id C0C95106566B
	for <freebsd-stable@freebsd.org>; Mon,  9 Jan 2012 09:47:53 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org
	[IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id 554C214F51C;
	Mon,  9 Jan 2012 09:47:49 +0000 (UTC)
Message-ID: <4F0AB7C4.6040204@FreeBSD.org>
Date: Mon, 09 Jan 2012 01:47:48 -0800
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:9.0) Gecko/20111222 Thunderbird/9.0
MIME-Version: 1.0
To: George Kontostanos <gkontos.mail@gmail.com>
References: <CA+dUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in+00LieCEw@mail.gmail.com>
In-Reply-To: <CA+dUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in+00LieCEw@mail.gmail.com>
X-Enigmail-Version: undefined
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Stable <freebsd-stable@freebsd.org>
Subject: Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2012 09:47:53 -0000

On 01/04/2012 16:24, George Kontostanos wrote:
> Greetings everyone,
> 
> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
> following options:
> 
> options {
> ...
> dnssec-enable yes;
> dnssec-validation auto;
> ...
> };
> 
> Unfortunately immediately after named is restarted one CPU reaches
> 100% utilization.

There are an enormous number of possible reasons for this. Most common
is that you have a misconfigured firewall in the path that is not
passing DNSSEC-sized packets (which are generally quite a bit larger
than regular DNS due to the signatures).

The first 2 things you need to do are to crank up BIND logging (the
details are in the BIND docs, particularly the ARM); and to check
whether or not your network is properly configured. There are a number
of sites to do the latter, check the following for example:

https://www.dns-oarc.net/oarc/services/replysizetest

If you still need help after these 2 steps, your best bet is
bind-users@isc.org.


Good luck,

Doug

-- 

	You can observe a lot just by watching.	-- Yogi Berra

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/