version: 9.8.1-P1 We're seeing a lot of
"no more recursive clients: quota reached"" log messages on a dns resolver we're running when we try to set dnssec-validate and dlv-lookaside set to auto (and queries time out). Before the change, we're running this: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor "dlv.isc.org"; With the bundled bind.keys for this distro. What we're finding is that we only return authenticated data on domains using dlv lookaside. So then we try this: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; and we alternatively try removing the dlv.isc.org key from managed-keys or leaving it in. My understanding is that bind would authenticate any signed zones who have their DS recs at a signed parent via the normal methods, or else check anything that doesn't via dnssec lookaside. And it sorta almost works. Except what happens when we restart or reconfigure bind is that the number of recursive clients skyrockets to the maximum (currently the default 1000) in under a minute and then everything starts failing or timing out with a lot of those aforementioned log messages. As soon as we back out these changes, the levels drop just as fast and run usually under 10 clients with occasional spikes up to 20 or so. We've also tried raising recursive-clients in options but the 1000 default seems to stick, not sure what's up there. Any pointers appreciated. -mark -- Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc. Company Website: http://easydns.com Read My Blog: http://markable.com +1-416-535-8672 ext 225 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users