DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
George Kontostanos
gkontos.mail at gmail.com
Mon Jan 9 15:43:05 UTC 2012
On Mon, Jan 9, 2012 at 11:47 AM, Doug Barton <dougb at freebsd.org> wrote:
> On 01/04/2012 16:24, George Kontostanos wrote:
>> Greetings everyone,
>>
>> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
>> following options:
>>
>> options {
>> ...
>> dnssec-enable yes;
>> dnssec-validation auto;
>> ...
>> };
>>
>> Unfortunately immediately after named is restarted one CPU reaches
>> 100% utilization.
>
> There are an enormous number of possible reasons for this. Most common
> is that you have a misconfigured firewall in the path that is not
> passing DNSSEC-sized packets (which are generally quite a bit larger
> than regular DNS due to the signatures).
>
> The first 2 things you need to do are to crank up BIND logging (the
> details are in the BIND docs, particularly the ARM); and to check
> whether or not your network is properly configured. There are a number
> of sites to do the latter, check the following for example:
>
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> If you still need help after these 2 steps, your best bet is
> bind-users at isc.org.
>
>
> Good luck,
>
> Doug
>
> --
>
> You can observe a lot just by watching. -- Yogi Berra
>
> Breadth of IT experience, and depth of knowledge in the DNS.
> Yours for the right price. :) http://SupersetSolutions.com/
>
Hi Doug,
thanks for the valuable info. After a lot of debugging I reached to
the point where I get:
Jan 9 17:21:22 hp named[39053]:
/usr/src/lib/bind/dns/../../../contrib/bind9/lib/dns/journal.c:171:
unexpected error:
Jan 9 17:21:22 hp named[39053]: missing SOA
Some googling showed that this is a rather common error-bug with
DNSSEC. I am no expert here, so I will turn this to the bind mailing
list.
Regards
--
George Kontostanos
Aicom telecoms ltd
http://www.barebsd.com
More information about the freebsd-stable
mailing list