On 19 April 2010 13:06, Vincent Hoffman <vi...@unsane.co.uk> wrote: > On 19/04/2010 12:12, krad wrote: > > Hi, > > > > Not strictly a freebsd question this but I'm feeling jittery about this > as I > > cant afford it to go wrong. > > > > As you are probably aware the root zones are going to be signed soon. I > run > > a number of heavily used dns caches (~ 600-900 queries / sec) running > djb > > dnscache. From what I can see dnscache doesn't support dnssec and edns > and > > as these boxes are caches they will be querying the root ns a lot. They > are > > also not behind a discreet firewall, so its not that dropping the large > udp > > packets. I cant find any categoric answer to whether I will get an issue > > here and this makes me nervous. Can anyone offer any advice or pointers > on > > this? > > > > $ dig @test.server +short rs.dns-oarc.net txt > > rst.x476.rs.dns-oarc.net. > > rst.x485.x476.rs.dns-oarc.net. > > rst.x490.x485.x476.rs.dns-oarc.net. > > "212.139.132.43 DNS reply size limit is at least 490" > > "212.139.132.43 lacks EDNS, defaults to 512" > > "Tested at 2010-04-19 10:42:04 UTC" > > > > > > I would upgrade the ns to bind, but historically there were issues with > bind > > on these boxes so if i were to do this I would need to upgrade to > 8-stable > > (they are a mixture of 4,5,6) where i can safely use threaded bind. All > of > > these boxes are remote and heavily active so with the time constraints > isn't > > that desirable. > > > dns/unbound (http://unbound.net/) might be a better way to go than > bind if you just want a dnssec aware caching resolver. > > Vince > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" >
unfortunately not an option as we have a number of specialized patches running on the servers. These are available for bind and djb only. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"