recursive clients quota maxes out when dnssec-validate and dlv-lookaside set to auto
Phil Mayers
p.mayers at imperial.ac.uk
Tue Dec 20 08:47:26 UTC 2011
On 12/19/2011 11:14 PM, Mark Jeftovic wrote:
> And it sorta almost works. Except what happens when we restart or
> reconfigure bind is that the number of recursive clients skyrockets to
> the maximum (currently the default 1000) in under a minute and then
> everything starts failing or timing out with a lot of those
> aforementioned log messages.
Interesting. It sounds like when you enable those queries, the
nameserver suddenly starts emitting queries which aren't getting timely
replies.
Do you have a "clean" path from that nameserver to the internet? No
firewall enforcing DNS packet "size limits" or blocking TCP queries?
It will be a lot of data, but a tcpdump started just before making the
changes might show some obvious patterns that point you in the right
direction.
More information about the bind-users
mailing list