recursive clients quota maxes out when dnssec-validate and dlv-lookaside set to auto

Phil Mayers p.mayers at
Tue Dec 20 08:47:26 UTC 2011

On 12/19/2011 11:14 PM, Mark Jeftovic wrote:

> And it sorta almost works. Except what happens when we restart or
> reconfigure bind is that the number of recursive clients skyrockets to
> the maximum (currently the default 1000) in under a minute and then
> everything starts failing or timing out with a lot of those
> aforementioned log messages.

Interesting. It sounds like when you enable those queries, the 
nameserver suddenly starts emitting queries which aren't getting timely 

Do you have a "clean" path from that nameserver to the internet? No 
firewall enforcing DNS packet "size limits" or blocking TCP queries?

It will be a lot of data, but a tcpdump started just before making the 
changes might show some obvious patterns that point you in the right 

More information about the bind-users mailing list