On 01/04/2012 16:24, George Kontostanos wrote:
> Greetings everyone,
>
> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
> following options:
>
> options {
> ...
> dnssec-enable yes;
> dnssec-validation auto;
> ...
> };
>
> Unfortunately immediately after named is restarted one CPU reaches
> 100% utilization.
There are an enormous number of possible reasons for this. Most common
is that you have a misconfigured firewall in the path that is not
passing DNSSEC-sized packets (which are generally quite a bit larger
than regular DNS due to the signatures).
The first 2 things you need to do are to crank up BIND logging (the
details are in the BIND docs, particularly the ARM); and to check
whether or not your network is properly configured. There are a number
of sites to do the latter, check the following for example:
https://www.dns-oarc.net/oarc/services/replysizetest
If you still need help after these 2 steps, your best bet is
bind-us...@isc.org.
Good luck,
Doug
--
You can observe a lot just by watching. -- Yogi Berra
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
