Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Jan 2012 17:43:04 +0200
From:      George Kontostanos <gkontos.mail@gmail.com>
To:        Doug Barton <dougb@freebsd.org>
Cc:        FreeBSD Stable <freebsd-stable@freebsd.org>
Subject:   Re: DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
Message-ID:  <CA%2BdUSyqH%2BeAVovM1r1qdyA5TAj8xjzrr7Qc-HEhZ4tta2YgQOA@mail.gmail.com>
In-Reply-To: <4F0AB7C4.6040204@FreeBSD.org>
References:  <CA%2BdUSyqQrapYDF91G1q3YrB=YeCDre8Ja2Dkk7_in%2B00LieCEw@mail.gmail.com> <4F0AB7C4.6040204@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 9, 2012 at 11:47 AM, Doug Barton <dougb@freebsd.org> wrote:
> On 01/04/2012 16:24, George Kontostanos wrote:
>> Greetings everyone,
>>
>> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
>> following options:
>>
>> options {
>> ...
>> dnssec-enable yes;
>> dnssec-validation auto;
>> ...
>> };
>>
>> Unfortunately immediately after named is restarted one CPU reaches
>> 100% utilization.
>
> There are an enormous number of possible reasons for this. Most common
> is that you have a misconfigured firewall in the path that is not
> passing DNSSEC-sized packets (which are generally quite a bit larger
> than regular DNS due to the signatures).
>
> The first 2 things you need to do are to crank up BIND logging (the
> details are in the BIND docs, particularly the ARM); and to check
> whether or not your network is properly configured. There are a number
> of sites to do the latter, check the following for example:
>
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> If you still need help after these 2 steps, your best bet is
> bind-users@isc.org.
>
>
> Good luck,
>
> Doug
>
> --
>
> =A0 =A0 =A0 =A0You can observe a lot just by watching. -- Yogi Berra
>
> =A0 =A0 =A0 =A0Breadth of IT experience, and depth of knowledge in the DN=
S.
> =A0 =A0 =A0 =A0Yours for the right price. =A0:) =A0http://SupersetSolutio=
ns.com/
>

Hi Doug,

thanks for the valuable info. After a lot of debugging I reached to
the point where I get:

Jan  9 17:21:22 hp named[39053]:
/usr/src/lib/bind/dns/../../../contrib/bind9/lib/dns/journal.c:171:
unexpected error:
Jan  9 17:21:22 hp named[39053]: missing SOA

Some googling showed that this is a rather common error-bug with
DNSSEC. I am no expert here, so I will turn this to the bind mailing
list.

Regards
--=20
George Kontostanos
Aicom telecoms ltd
http://www.barebsd.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BdUSyqH%2BeAVovM1r1qdyA5TAj8xjzrr7Qc-HEhZ4tta2YgQOA>