In my experience I haven’t had any issues having DNSSEC Validation on. Minus the odd bogus signed zone (both publicly and privately). Back when I was working with Craig we enabled it on the TotalTeam ISP DNS servers without any impact. Also i’ve been running validation on my internal recursive DNS servers running Bind 9.9 for a long time.
Without further information inclination would be that it ‘might' be a broken DNSSEC implementation on the DNS server. Any further info on what domains are not validating correctly or what DNS server and version you are running? Fraser > On 9 Jun 2015, at 7:18 am, steve <[email protected]> wrote: > > There's a few notes below, but I think that removing DNSSEC requirements from > the DNS server might have sorted it. > > Does that make sense? It was causing a metric shedload of error messages. > > > Steve > > On 08/06/15 09:09, C. Falconer wrote: >> steve wrote on 06/06/15 17:00: >>> Am nearing wits end... been away on hols for a month and my network >>> performance has plummeted. >>> >>> The best way of describing the problem is that you need to refresh a web >>> page before you get any content. In addition, bulk loading across a VPN ( >>> eg scp ) fails regularly. >>> >>> Basic design of network: 'firewall' server runs fail2ban and links upstream >>> ADSL to local wireless and wired subnets. It also provides DNS ( caching >>> server ), DHCP, OpenVPN etc services. >>> >>> I initially thought it was a DNS problem, and have migrated from the local >>> ( Voda ) DNS servers to OpenDNS, having briefly tried Googles resolvers on >>> the way. No improvement. >>> >>> Any thoughts on what I can try to identify the real problem? My thought is >>> that the GCSB are involved somewhere along the line, but as a SysAdm I am >>> paid to be paranoid! >> >> >> OK - honestly I have no idea.... but I agree with Fraser in that "random >> weird stuff" does often have root causes in DNS or MTU. But you've appeared >> to rule them out. >> >> >> So, cut the problem up. >> 1) Does the link test as slow when from the firewall box, as opposed to a >> client machine? >> If no then its a local network thing - isolate between wired and >> wireless clients >> If yes, then its an internet link. > OK, I'm testing this as we speak as I don't have a GUI and want to test like > for like. Download speeds are not a problem generally, I usually manage to > crank over 1MB/s from anywhere not wirelessly connected. > > Interestingly, if I try to start up firefox via ssh -X to the 'firewall', it > starts a new session up on the local workstation if ff is running on that, > and vv. >> >> 2) How's the neighbour's speeds? Do they have Chorus ADSL? > No idea really. We generally get good service over here, probably due to the > odd MP living locally (: >> >> 3) Have you got any other ADSL routers to swap out? Its not unknown for the >> hardware to just start dying from rubbish on the wire, specially if its not >> completely urban. > The venerable 12 year old speedtouch doesn't seem to make any appreciable > difference. >> >> 4) Have you spoken with your ISP about getting line tests done? They can do >> a 2 or 24 hour line test and monitor the stats from your DSL link, which >> should give some indication of the DSL's performance. You can continue to >> use it like normal for the test period too. > Like I say, the line seems to be fine, once the traffic is flowing. >> >> 5) From memory you're in Diamond Harbour, so pretty SOOL for anything like >> fibre. Would you have line of sight to Marleys hill? Probably not. Would >> you entertain the thought of a wireless link across the water? Do you know >> anyone in Lyttelton with fibre and LOS to your place ? > Yes, I'm over the water,unfortunately round the corner too. I'm not too sure > what wireless propagates like over water... last time I read up, the bounces > caused problems. However, with these 3 aerialed thingies, that shouldn't be a > problem nowadays??? >> >> 6) If you want to investigate further, do a tcpdump -i any -nn -w >> poorlink.pcap -vv -s 1500 >> on your firewall, while testing from the internal host. Do something to >> exhibit the problem, and then email me the pcap off list. >> >> 7) Finally, apply all windows updates, upgrade flash, java and acrobat >> reader, do a antivirus scan and a malware scan, and restart your computer. > Wash your mouth out (: >> >> -- >> CF >> >> >> _______________________________________________ >> Linux-users mailing list >> [email protected] >> <mailto:[email protected]> >> http://lists.canterbury.ac.nz/mailman/listinfo/linux-users >> <http://lists.canterbury.ac.nz/mailman/listinfo/linux-users> > > -- > Steve Holdoway BSc(Hons) MIITP > http://www.greengecko.co.nz <http://www.greengecko.co.nz/> > Linkedin: http://www.linkedin.com/in/steveholdoway > <http://www.linkedin.com/in/steveholdoway> > Skype: sholdowa > _______________________________________________ > Linux-users mailing list > [email protected] > http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
