Bug 575604

Summary: DNSSEC slows down lookups, generates numerous messages
Product: [Fedora] Fedora Reporter: josip@icase.edu <jl-icase>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: al.dunsmuir, atkac, ovasik, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-26 14:13:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description josip@icase.edu 2010-03-21 18:12:01 UTC
Description of problem:
Named daemon generates >100,000 messages/week about "not insecure resolving ..." and "no valid RRSIG resloving ...", visibly slows down DNS operation, clogs up /var/log/messages and /var/named/data/named.run logs.

Version-Release number of selected component (if applicable):
bind-9.6.2-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
DNS operation slow, logs full of spurious messages.

Expected results:
Normal DNS operation.

Additional info:
Apparently, failure to establish DNSSEC or DLV trust chain is at fault even though DLV trust anchor keys seem to be included properly.  Dig shows RRSIGs but no "AD" flag.  Disabling DNSSEC and DLV restores normal operation.  BTW, is it reasonable to log multiple failures per lookup, one for each DNS forwarder -- i.e. how about logging just a single failure when no forwarder returned data that could be authenticated?

Comment 1 Adam Tkac 2010-03-22 12:05:19 UTC
This issue is addressed in 9.6.2-P1 upstream release which is submitted to F12 updates-testing (https://admin.fedoraproject.org/updates/bind-9.6.2-2.P1.fc12). Would it be possible to test it, please?

Comment 2 Adam Tkac 2010-03-26 14:13:47 UTC

*** This bug has been marked as a duplicate of bug 556366 ***