DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%
Doug Barton
dougb at FreeBSD.org
Mon Jan 9 09:47:53 UTC 2012
On 01/04/2012 16:24, George Kontostanos wrote:
> Greetings everyone,
>
> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
> following options:
>
> options {
> ...
> dnssec-enable yes;
> dnssec-validation auto;
> ...
> };
>
> Unfortunately immediately after named is restarted one CPU reaches
> 100% utilization.
There are an enormous number of possible reasons for this. Most common
is that you have a misconfigured firewall in the path that is not
passing DNSSEC-sized packets (which are generally quite a bit larger
than regular DNS due to the signatures).
The first 2 things you need to do are to crank up BIND logging (the
details are in the BIND docs, particularly the ARM); and to check
whether or not your network is properly configured. There are a number
of sites to do the latter, check the following for example:
https://www.dns-oarc.net/oarc/services/replysizetest
If you still need help after these 2 steps, your best bet is
bind-users at isc.org.
Good luck,
Doug
--
You can observe a lot just by watching. -- Yogi Berra
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the freebsd-stable
mailing list