DNSSec on FreeBSD 9.0-RELEASE causes CPU 100%

Doug Barton dougb at FreeBSD.org
Mon Jan 9 09:47:53 UTC 2012


On 01/04/2012 16:24, George Kontostanos wrote:
> Greetings everyone,
> 
> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
> following options:
> 
> options {
> ...
> dnssec-enable yes;
> dnssec-validation auto;
> ...
> };
> 
> Unfortunately immediately after named is restarted one CPU reaches
> 100% utilization.

There are an enormous number of possible reasons for this. Most common
is that you have a misconfigured firewall in the path that is not
passing DNSSEC-sized packets (which are generally quite a bit larger
than regular DNS due to the signatures).

The first 2 things you need to do are to crank up BIND logging (the
details are in the BIND docs, particularly the ARM); and to check
whether or not your network is properly configured. There are a number
of sites to do the latter, check the following for example:

https://www.dns-oarc.net/oarc/services/replysizetest

If you still need help after these 2 steps, your best bet is
bind-users at isc.org.


Good luck,

Doug

-- 

	You can observe a lot just by watching.	-- Yogi Berra

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/



More information about the freebsd-stable mailing list