Red Hat Bugzilla – Bug 575604
DNSSEC slows down lookups, generates numerous messages
Last modified: 2013-04-30 19:46:00 EDT
Description of problem:
Named daemon generates >100,000 messages/week about "not insecure resolving ..." and "no valid RRSIG resloving ...", visibly slows down DNS operation, clogs up /var/log/messages and /var/named/data/named.run logs.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
DNS operation slow, logs full of spurious messages.
Normal DNS operation.
Apparently, failure to establish DNSSEC or DLV trust chain is at fault even though DLV trust anchor keys seem to be included properly. Dig shows RRSIGs but no "AD" flag. Disabling DNSSEC and DLV restores normal operation. BTW, is it reasonable to log multiple failures per lookup, one for each DNS forwarder -- i.e. how about logging just a single failure when no forwarder returned data that could be authenticated?
This issue is addressed in 9.6.2-P1 upstream release which is submitted to F12 updates-testing (https://admin.fedoraproject.org/updates/bind-9.6.2-2.P1.fc12). Would it be possible to test it, please?
*** This bug has been marked as a duplicate of bug 556366 ***