Greetings everyone,
I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the
following options:
options {
...
dnssec-enable yes;
dnssec-validation auto;
...
};
Unfortunately immediately after named is restarted one CPU reaches
100% utilization.
CPU: 30.1% user, 0.0% nice, 23.6% system, 0.0% interrupt, 46.3% idle
Mem: 111M Active, 14M Inact, 255M Wired, 852K Cache, 3558M Free
Swap: 2048M Total, 2048M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
2178 bind 5 20 0 51364K 13828K kqread 0 0:17 84.18% named
The system is running GENERIC kernel, and it not an authoritative DNS.
Mainly used for testing purposes. My logs don't show anything strange:
Jan 5 02:03:55 hp named[2178]: starting BIND 9.8.1-P1 -t /var/named -u bind
Jan 5 02:03:55 hp named[2178]: built with '--prefix=/usr'
'--infodir=/usr/share/info' '--mandir=/usr/share/man'
'--enable-threads' '--enable-getifaddrs'
'--disable-linux-caps'
'--with-openssl=/usr' '--with-randomdev=/dev/random'
'--without-idn'
'--without-libxml2'
Jan 5 02:03:55 hp named[2178]: using built-in root key for view _default
Jan 5 02:03:55 hp named[2178]: command channel listening on 127.0.0.1#953
Jan 5 02:03:55 hp named[2178]: command channel listening on ::1#953
an 5 02:03:55 hp named[2178]: running
Anybody has come across a similar behavior ?
Cheers,
--
George Kontostanos
Aicom telecoms ltd
On 01/04/2012 16:24, George Kontostanos wrote:> Greetings everyone, > > I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the > following options: > > options { > ... > dnssec-enable yes; > dnssec-validation auto; > ... > }; > > Unfortunately immediately after named is restarted one CPU reaches > 100% utilization.There are an enormous number of possible reasons for this. Most common is that you have a misconfigured firewall in the path that is not passing DNSSEC-sized packets (which are generally quite a bit larger than regular DNS due to the signatures). The first 2 things you need to do are to crank up BIND logging (the details are in the BIND docs, particularly the ARM); and to check whether or not your network is properly configured. There are a number of sites to do the latter, check the following for example: https://www.dns-oarc.net/oarc/services/replysizetest If you still need help after these 2 steps, your best bet is bind-users@isc.org. Good luck, Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
On Mon, Jan 9, 2012 at 11:47 AM, Doug Barton <dougb@freebsd.org> wrote:> On 01/04/2012 16:24, George Kontostanos wrote: >> Greetings everyone, >> >> I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the >> following options: >> >> options { >> ... >> dnssec-enable yes; >> dnssec-validation auto; >> ... >> }; >> >> Unfortunately immediately after named is restarted one CPU reaches >> 100% utilization. > > There are an enormous number of possible reasons for this. Most common > is that you have a misconfigured firewall in the path that is not > passing DNSSEC-sized packets (which are generally quite a bit larger > than regular DNS due to the signatures). > > The first 2 things you need to do are to crank up BIND logging (the > details are in the BIND docs, particularly the ARM); and to check > whether or not your network is properly configured. There are a number > of sites to do the latter, check the following for example: > > https://www.dns-oarc.net/oarc/services/replysizetest > > If you still need help after these 2 steps, your best bet is > bind-users@isc.org. > > > Good luck, > > Doug > > -- > > ? ? ? ?You can observe a lot just by watching. -- Yogi Berra > > ? ? ? ?Breadth of IT experience, and depth of knowledge in the DNS. > ? ? ? ?Yours for the right price. ?:) ?http://SupersetSolutions.com/ >Hi Doug, thanks for the valuable info. After a lot of debugging I reached to the point where I get: Jan 9 17:21:22 hp named[39053]: /usr/src/lib/bind/dns/../../../contrib/bind9/lib/dns/journal.c:171: unexpected error: Jan 9 17:21:22 hp named[39053]: missing SOA Some googling showed that this is a rather common error-bug with DNSSEC. I am no expert here, so I will turn this to the bind mailing list. Regards -- George Kontostanos Aicom telecoms ltd http://www.barebsd.com
Hi Just FYI, I just encountered the same issue with bind and DNSSEC. Bind was using 100% CPU, even after a restart. Turns out that were a key in the managed-keys folder which was unreadable by bind (permission issue). Hope It can help. Arnaud Houdelette. On 05/01/2012 01:24, George Kontostanos wrote:> Greetings everyone, > > I was testing DNSSec resolution on BIND 9.8.1-P1 by adding the > following options: > > options { > ... > dnssec-enable yes; > dnssec-validation auto; > ... > }; > > Unfortunately immediately after named is restarted one CPU reaches > 100% utilization. > > CPU: 30.1% user, 0.0% nice, 23.6% system, 0.0% interrupt, 46.3% idle > Mem: 111M Active, 14M Inact, 255M Wired, 852K Cache, 3558M Free > Swap: 2048M Total, 2048M Free > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > 2178 bind 5 20 0 51364K 13828K kqread 0 0:17 84.18% named > > The system is running GENERIC kernel, and it not an authoritative DNS. > Mainly used for testing purposes. My logs don't show anything strange: > > Jan 5 02:03:55 hp named[2178]: starting BIND 9.8.1-P1 -t /var/named -u bind > Jan 5 02:03:55 hp named[2178]: built with '--prefix=/usr' > '--infodir=/usr/share/info' '--mandir=/usr/share/man' > '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' > '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' > '--without-libxml2' > Jan 5 02:03:55 hp named[2178]: using built-in root key for view _default > Jan 5 02:03:55 hp named[2178]: command channel listening on 127.0.0.1#953 > Jan 5 02:03:55 hp named[2178]: command channel listening on ::1#953 > an 5 02:03:55 hp named[2178]: running > > Anybody has come across a similar behavior ? > > Cheers, >