Bug 575604 - DNSSEC slows down lookups, generates numerous messages
Summary: DNSSEC slows down lookups, generates numerous messages
Keywords:
Status: CLOSED DUPLICATE of bug 556366
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-21 18:12 UTC by josip@icase.edu
Modified: 2013-04-30 23:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-26 14:13:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description josip@icase.edu 2010-03-21 18:12:01 UTC
Description of problem:
Named daemon generates >100,000 messages/week about "not insecure resolving ..." and "no valid RRSIG resloving ...", visibly slows down DNS operation, clogs up /var/log/messages and /var/named/data/named.run logs.

Version-Release number of selected component (if applicable):
bind-9.6.2-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
DNS operation slow, logs full of spurious messages.

Expected results:
Normal DNS operation.

Additional info:
Apparently, failure to establish DNSSEC or DLV trust chain is at fault even though DLV trust anchor keys seem to be included properly.  Dig shows RRSIGs but no "AD" flag.  Disabling DNSSEC and DLV restores normal operation.  BTW, is it reasonable to log multiple failures per lookup, one for each DNS forwarder -- i.e. how about logging just a single failure when no forwarder returned data that could be authenticated?

Comment 1 Adam Tkac 2010-03-22 12:05:19 UTC
This issue is addressed in 9.6.2-P1 upstream release which is submitted to F12 updates-testing (https://admin.fedoraproject.org/updates/bind-9.6.2-2.P1.fc12). Would it be possible to test it, please?

Comment 2 Adam Tkac 2010-03-26 14:13:47 UTC

*** This bug has been marked as a duplicate of bug 556366 ***


Note You need to log in before you can comment on or make changes to this bug.