Re: DNS Capacity issue help -- Recursive Query -- it seems some packets are dropped by DNS
PENG, JUNAN wrote: > I need to start by saying that my load testing is very unscientific, so I can only give you a few handwaving hints... > I did recursive query capacity test. I used traffic generator to place > 15K QPS traffic to DNS 1 with FQDN1 (Note, FQDN1 can't be resolve by > DNS1, it need to forward it to DNS2 and TTL is set to 0) In my experience, 15kqps is easy to achieve with a hot cache, but if you are forcing the resolver to make recursive queries you'll be sacrificing a lot of the potential performance (but I can't give you numbers on how much). Set the TTL to a non-zero value to get a more realistic test. > Thing 1. DNS query number is larger than response number between > traffic generator and DNS1 . About 15% traffic are dropped by DNS1 . Are you hammering the same qname or a small number of qnames? If so I would expect the server to drop queries while it is recursing - look at the documentation for max-clients-per-query. > Thing 2. DNS recursive query number between DNS1 and DNS2 is far less > than query number between traffic generator and DNS1 That's kind of the point of a cache :-) Tony. -- f.anthony.n.finchhttp://dotat.at/ public services available on equal terms to all ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RRSIG query
Hi Greetings!! We have 1Million signed zone records in bind. My zone is going to auto-resign after 3 days. If we change RRSIG expire date to greater than two months from now then if restart bind, Can we avoid auto-resign in this week? is there any impact on resolution or is my zone is valid? what we would need to do to make my zone is valid after changing rrsig expire date value manually. DO we need to change any other values along with RRSIG expire value. Kindly look into this. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRSIG query
On 10 April 2018 at 12:05, rams wrote: > Hi > Greetings!! > We have 1Million signed zone records in bind. My zone is going to > auto-resign after 3 days. If we change RRSIG expire date to greater than > two months from now then if restart bind, Can we avoid auto-resign in this > week? is there any impact on resolution or is my zone is valid? what we > would need to do to make my zone is valid after changing rrsig expire date > value manually. DO we need to change any other values along with RRSIG > expire value. Kindly look into this. > > The details of your configuration are probably important here. It'll be difficult to give a clear, simple answer without that information. However, if your have RRSIGs expiring this week then one of two things will happen: either they will be resigned this week, or your zone will go bogus. If you have RRSIGs expiring and you manage to delay the next re-sign out beyond that date, then the signatures you have currently will expire. If you simply change the signature lifetime (and you have RRSIGs expiring this week) then after your re-sign happens the new RRSIGs will have the new signature lifetime, which would delay the need for the _next_ re-sign. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
expired SSL certificate
The certificate for lists.isc.org expired today, and because of STS my browser does not allow a security exception. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: expired SSL certificate
Forwarded to our operations people > On 11 Apr 2018, at 10:12 am, /dev/rob0 wrote: > > The certificate for lists.isc.org expired today, and because of STS > my browser does not allow a security exception. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: expired SSL certificate
Cert looks fixed now. Nice to see you're using Letsencrypt certs... just have to fix the cron job for the renew ;-) Frank >Forwarded to our operations people >> On 11 Apr 2018, at 10:12 am, /dev/rob0 wrote: >> >> The certificate for lists.isc.org expired today, and because of STS >> my browser does not allow a security exception. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
