recursive clients quota maxes out when dnssec-validate and dlv-lookaside set to auto

Mark Jeftovic markjr at
Mon Dec 19 23:14:36 UTC 2011

version: 9.8.1-P1

We're seeing a lot of

"no more recursive clients: quota reached""

log messages on a dns resolver we're running when we try to set
dnssec-validate and dlv-lookaside set to auto (and queries time out).

Before the change, we're running this:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor "";

With the bundled bind.keys for this distro.

What we're finding is that we only return authenticated data on domains
using dlv lookaside.

So then we try this:

 dnssec-enable yes;
 dnssec-validation auto;
 dnssec-lookaside auto;

and we alternatively try removing the key from managed-keys
or leaving it in.

My understanding is that bind would authenticate any signed zones who
have their DS recs at a signed parent via the normal methods, or else
check anything that doesn't via dnssec lookaside.

And it sorta almost works. Except what happens when we restart or
reconfigure bind is that the number of recursive clients skyrockets to
the maximum (currently the default 1000) in under a minute and then
everything starts failing or timing out with a lot of those
aforementioned log messages.

As soon as we back out these changes, the levels drop just as fast and
run usually under 10 clients with occasional spikes up to 20 or so.

We've also tried raising recursive-clients in options but the 1000
default seems to stick, not sure what's up there.

Any pointers appreciated.


Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website:
Read My Blog:
+1-416-535-8672 ext 225

More information about the bind-users mailing list