Bug 575604 - DNSSEC slows down lookups, generates numerous messages
DNSSEC slows down lookups, generates numerous messages
Status: CLOSED DUPLICATE of bug 556366
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-21 14:12 EDT by josip@icase.edu
Modified: 2013-04-30 19:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-26 10:13:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description josip@icase.edu 2010-03-21 14:12:01 EDT
Description of problem:
Named daemon generates >100,000 messages/week about "not insecure resolving ..." and "no valid RRSIG resloving ...", visibly slows down DNS operation, clogs up /var/log/messages and /var/named/data/named.run logs.

Version-Release number of selected component (if applicable):
bind-9.6.2-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
DNS operation slow, logs full of spurious messages.

Expected results:
Normal DNS operation.

Additional info:
Apparently, failure to establish DNSSEC or DLV trust chain is at fault even though DLV trust anchor keys seem to be included properly.  Dig shows RRSIGs but no "AD" flag.  Disabling DNSSEC and DLV restores normal operation.  BTW, is it reasonable to log multiple failures per lookup, one for each DNS forwarder -- i.e. how about logging just a single failure when no forwarder returned data that could be authenticated?
Comment 1 Adam Tkac 2010-03-22 08:05:19 EDT
This issue is addressed in 9.6.2-P1 upstream release which is submitted to F12 updates-testing (https://admin.fedoraproject.org/updates/bind-9.6.2-2.P1.fc12). Would it be possible to test it, please?
Comment 2 Adam Tkac 2010-03-26 10:13:47 EDT

*** This bug has been marked as a duplicate of bug 556366 ***

Note You need to log in before you can comment on or make changes to this bug.