Hi, list, I have upgraded our dns servers to version 9.5.0 P2, we have a hight load, and a merged setup of authority and recursive servers, I know this is bad, but one can't have everything it wants, specially when having low resources. I have running in almost all the problems listed on this list since the upgrade for the vulnerability of kaminsky: Out of file descriptors, ... etc, it has been a realy hard job, we also have to change our firewall beacuse of the problems with udp packages, and until now almost everything is solved, but one thing that realy has me crazy. We are tunning in rhel 5.2, customs rpms packages of 9.5.0 P2 built for highs loads, we have 2000 zones, and almost 7000 recursive clients, I'm trying to fix the problem of: too many timeouts resolving ...: disabling EDNS
a average ping from our network has this responses PING google.com (64.233.187.99) 56(84) bytes of data. 64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=1 ttl=236 time=582 ms 64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=2 ttl=236 time=583 ms PING isc.org (204.152.184.88) 56(84) bytes of data. 64 bytes from external.isc.org (204.152.184.88): icmp_seq=1 ttl=50 time=610 ms 64 bytes from external.isc.org (204.152.184.88): icmp_seq=2 ttl=50 time=610 ms I did all the test to confirm our firewall allow big udp packages, even I have used dig to query for dnssec, and it works ok, so I don't understand why bind timeouts the edns query, so, I'm wondering, what is the timeout for a edns query, could I change this value to a custom one, why dig can do edns queries, and why bind can't do it, and says timeouts and disable this, I know edns is important for the next step to use dnssec, but if dig can do it, why binds timeouts??? Any ideas.. Best regards, Aliet
