[LEGACY DOMAIN: COL.CZ] Re: Is 9.5 broken

[Daniel Ryslink]

Hello,

I can also confirm this for BIND 9.5.0-P2 for DNSSec enabled resolvers 
using DLV (an ISP environment, arout 500-600 queries per second according to 
BIND query log).

After several hours of operation, the server stopped answering on certain 
cached records in signed zones (no packets came back) in irregular 
intervals.

After downgrading to 9.4.3, the problems were resolved, works without any 
hassles.

I did not try the latest 9.5.1 version, however.

Daniel Ryslink


On Fri, 26 Sep 2008, Bart Van den Broeck wrote:

> Rune Rune wrote:
>> Hi, I have compiled and used 9.5 on several Linuxplatforms but we have to restart the bind-process every day since it stop ansver for some domains after some time.
>> The DNS is recursive and the domain it stop answer for is always .se domains. Is there any DNSSEC issue in 9.5 that is broken maybe? The zones it dont answer for isn't signed by .SE but? When the server stop answer correct it look up other zones correct and after a restart it works ok again.
>>
>> Regards, Rune
>
>
> Short answer: yes, probably.
>
> We have experienced the same issue, also with .se domains.  It seems to be
> related to a cache management issue and JINMEI Tatuya of ISC agrees (cf. his
> reply on my post "Re: Frequent SERVFAIL: "nameservers now above QDOMAIN" (BIND
> 9.5.0-P2)" <http://marc.info/?l=bind-users&m=122239920822324&w=2>).
>
> Restarting the DNS server solves the problem because it also flushes the cache
> (as a side-effect).
>
> Until the problematic code is fixed in BIND 9.5 we've downgraded to 9.4.  It
> hasn't been running long enough to be completely sure the problem has gone away
> though, but we're hopeful :-)
>
>
> Kind regards
> Bart Van den Broeck
> -- K.U.Leuven - ICTS - ICT Infrastructuur - Netwerken (aka KULeuvenNet)-
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
>
>