Date: Mon, 09 Jan 2012 01:47:48 -0800 From: Doug Barton <dougb@FreeBSD.org> To: George Kontostanos <gkontos.mail@gmail.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100% Message-ID: <4F0AB7C4.6040204@FreeBSD.org> In-Reply-To: <CA%2BdUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in%2B00LieCEw@mail.gmail.com> References: <CA%2BdUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in%2B00LieCEw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/04/2012 16:24, George Kontostanos wrote: > Greetings everyone, > > I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the > following options: > > options { > ... > dnssec-enable yes; > dnssec-validation auto; > ... > }; > > Unfortunately immediately after named is restarted one CPU reaches > 100% utilization. There are an enormous number of possible reasons for this. Most common is that you have a misconfigured firewall in the path that is not passing DNSSEC-sized packets (which are generally quite a bit larger than regular DNS due to the signatures). The first 2 things you need to do are to crank up BIND logging (the details are in the BIND docs, particularly the ARM); and to check whether or not your network is properly configured. There are a number of sites to do the latter, check the following for example: https://www.dns-oarc.net/oarc/services/replysizetest If you still need help after these 2 steps, your best bet is bind-users@isc.org. Good luck, Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F0AB7C4.6040204>