Date: Mon, 09 Jan 2012 01:47:48 -0800 From: Doug Barton <dougb@FreeBSD.org> To: George Kontostanos <gkontos.mail@gmail.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100% Message-ID: <4F0AB7C4.6040204@FreeBSD.org> In-Reply-To: <CA%2BdUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in%2B00LieCEw@mail.gmail.com> References: <CA%2BdUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in%2B00LieCEw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/04/2012 16:24, George Kontostanos wrote:
> Greetings everyone,
>
> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
> following options:
>
> options {
> ...
> dnssec-enable yes;
> dnssec-validation auto;
> ...
> };
>
> Unfortunately immediately after named is restarted one CPU reaches
> 100% utilization.
There are an enormous number of possible reasons for this. Most common
is that you have a misconfigured firewall in the path that is not
passing DNSSEC-sized packets (which are generally quite a bit larger
than regular DNS due to the signatures).
The first 2 things you need to do are to crank up BIND logging (the
details are in the BIND docs, particularly the ARM); and to check
whether or not your network is properly configured. There are a number
of sites to do the latter, check the following for example:
https://www.dns-oarc.net/oarc/services/replysizetest
If you still need help after these 2 steps, your best bet is
bind-users@isc.org.
Good luck,
Doug
--
You can observe a lot just by watching. -- Yogi Berra
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F0AB7C4.6040204>