From owner-freebsd-stable@FreeBSD.ORG Mon Jan 9 15:43:05 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7289B106566B for ; Mon, 9 Jan 2012 15:43:05 +0000 (UTC) (envelope-from gkontos.mail@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3E4378FC14 for ; Mon, 9 Jan 2012 15:43:04 +0000 (UTC) Received: by iadj38 with SMTP id j38so9333909iad.13 for ; Mon, 09 Jan 2012 07:43:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=G65wnSkqW3hB9JSSuuyANq9M+lWlQSFg4vEvVWUOUQM=; b=ofMtJkb597iuXc1Ww8Bv92O2ubXtmp84EKeK9u5IpvfSF+T7rmwh//RgjzaIE8gPWD JnAdSIMd8NllDMf4bTu2pYOPOWNJ2VmBNK7YzTweaV4QpyzROfJPVdT7M9VK+QJ/0Pv7 6ZHq1aX8sR7+cazvJSWyAZVVoTnWYi+2MWOdQ= MIME-Version: 1.0 Received: by 10.43.53.1 with SMTP id vo1mr21094681icb.2.1326123784553; Mon, 09 Jan 2012 07:43:04 -0800 (PST) Received: by 10.231.135.3 with HTTP; Mon, 9 Jan 2012 07:43:04 -0800 (PST) In-Reply-To: <4F0AB7C4.6040204@FreeBSD.org> References: <4F0AB7C4.6040204@FreeBSD.org> Date: Mon, 9 Jan 2012 17:43:04 +0200 Message-ID: From: George Kontostanos To: Doug Barton Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Stable Subject: Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100% X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 15:43:05 -0000 On Mon, Jan 9, 2012 at 11:47 AM, Doug Barton wrote: > On 01/04/2012 16:24, George Kontostanos wrote: >> Greetings everyone, >> >> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the >> following options: >> >> options { >> ... >> dnssec-enable yes; >> dnssec-validation auto; >> ... >> }; >> >> Unfortunately immediately after named is restarted one CPU reaches >> 100% utilization. > > There are an enormous number of possible reasons for this. Most common > is that you have a misconfigured firewall in the path that is not > passing DNSSEC-sized packets (which are generally quite a bit larger > than regular DNS due to the signatures). > > The first 2 things you need to do are to crank up BIND logging (the > details are in the BIND docs, particularly the ARM); and to check > whether or not your network is properly configured. There are a number > of sites to do the latter, check the following for example: > > https://www.dns-oarc.net/oarc/services/replysizetest > > If you still need help after these 2 steps, your best bet is > bind-users@isc.org. > > > Good luck, > > Doug > > -- > > =A0 =A0 =A0 =A0You can observe a lot just by watching. -- Yogi Berra > > =A0 =A0 =A0 =A0Breadth of IT experience, and depth of knowledge in the DN= S. > =A0 =A0 =A0 =A0Yours for the right price. =A0:) =A0http://SupersetSolutio= ns.com/ > Hi Doug, thanks for the valuable info. After a lot of debugging I reached to the point where I get: Jan 9 17:21:22 hp named[39053]: /usr/src/lib/bind/dns/../../../contrib/bind9/lib/dns/journal.c:171: unexpected error: Jan 9 17:21:22 hp named[39053]: missing SOA Some googling showed that this is a rather common error-bug with DNSSEC. I am no expert here, so I will turn this to the bind mailing list. Regards --=20 George Kontostanos Aicom telecoms ltd http://www.barebsd.com