[dns-operations] More dnssec issues with .gov?
Michael Graff
michael_graff at isc.org
Wed May 6 19:48:46 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Craig Leres wrote:
> nsx.lbl.gov started returning SERVFAIL for "dig +dnssec gov." a few
> minutes ago.
> ...
> As before, I did a "rndc flush" and that fixed the issue. (I dumped the
> cache before doing this in case it contains any useful info.)
I do not know exactly why this is happening, but I am working on an
aspect of this -- the memory bloat when BIND 9 encounters a problem in
validation.
The symptoms are not DLV specific, but DLV can more easily be used to
trigger the problem.
If one mis-configures a trust anchor, then queries into that zone, BIND
9 will inflate memory rather quickly. When DLV is used, and provides a
trust anchor that BIND cannot handle (such as the .gov NSEC3 key for
non-NSEC3 aware resolvers) the bloat was triggered.
More on this as we discover more. We are working on this as a priority.
- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoB6Z4ACgkQLdqv0r6eD6ZGBQCgjfyKZtAHjDW2sC1pyS74WqUf
8iYAnj63khtbUhRY3RfykA7m14/ugAIf
=Kk+E
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list