[dns-operations] DNSSEC problem at one.com
bert hubert
bert.hubert at netherlabs.nl
Mon Apr 29 13:58:19 UTC 2013
On Mon, Apr 29, 2013 at 03:31:18PM +0200, Patrik Wallström wrote:
> Most problems still comes from PowerDNS. They do PowerDNS with signing on
> all of their name servers. We have previously seen problems with PowerDNS
> in combination with BIND resolvers, since PowerDNS with DNSSEC sometimes
> takes a long time to answer due to signing. This causes EDNS0
> blacklisting in BIND. I am not sure that this is the issue this time.
Hi Patrik,
Half of your analysis matches our experiences. The real issue is not that
the signing is slow, but that we mess up some answers which BIND interprets
as a timeout (correctly so), and then does the EDNS blacklisting (which is
more difficult).
This issue has been investigated since late 2012, but it has only recently
become clear which queries are causing the problems.
Note that even with a patched PowerDNS, intermittent timeouts will cause
such problems. Brief network interruptions might have prolonged effects
this way.
Bert
--
PowerDNS Website: http://www.powerdns.com/
More information about the dns-operations
mailing list