[dns-operations] ISC DLV broken?
michael at rancid.berkeley.edu
Mon Apr 6 18:11:26 UTC 2009
On 04/04/09 23:40, Michael Graff wrote:
> Is it working again for you now? We believe we have repaired the issue.
I was on vacation at the time of the problem, so when Mike Van Norman
called me, I was at a bar in LA. (What do you think we Sinatras do when
we're on vacation?)
Anyway, I was able to verify with our on-call engineer that indeed the
problem was affecting recursive resolution on UC Berkeley's nameservers,
and she was able to disable DNSSEC validation on the recursive servers.
Unfortunately, due to an apparent reference leak in BIND, this is a
non-trivial task. Turning off validation and doing 'rndc reconfig'
often triggers an INSIST failure. This is off-topic for this list,
though, and I am already communicating with bind-bugs@ on this topic. I
think it may be fixed in 9.6.1b1 and later.
I was not able to do any troubleshooting at the time of the problem (and
I can't verify what Geoffrey observed), but I am currently able to do
validation, and I am slowly turning validation back on for our
production nameservers. It looks like things are going well now. Would
it be possible to get some information on what the problem was and what
was done to fix it? I think it will be necessary to give some
information to my campus, since they suffered during the problem.
More information about the dns-operations