Hi, list, I have upgraded our dns servers to version 9.5.0 P2, we have
a hight load, and a merged setup of authority and recursive servers, I
know this is bad, but one can't have everything it wants, specially
when having low resources.
I have running in almost all the problems listed on this list since
the upgrade for the vulnerability of kaminsky:
Out of file descriptors, ... etc, it has been a realy hard job, we
also have to change our firewall beacuse of the problems with udp
packages, and until now almost everything is solved, but one thing
that realy has me crazy.
We are tunning in rhel 5.2, customs rpms packages of 9.5.0 P2 built
for highs loads, we have 2000 zones, and almost 7000 recursive
clients, I'm trying to fix the problem of:
too many timeouts resolving ...: disabling EDNS

a average ping from our network has this responses

PING google.com (64.233.187.99) 56(84) bytes of data.
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=1 ttl=236
time=582 ms
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=2 ttl=236
time=583 ms

PING isc.org (204.152.184.88) 56(84) bytes of data.
64 bytes from external.isc.org (204.152.184.88): icmp_seq=1 ttl=50 time=610 ms
64 bytes from external.isc.org (204.152.184.88): icmp_seq=2 ttl=50 time=610 ms

I did all the test to confirm our firewall allow big udp packages,
even I have used dig to query for dnssec, and it works ok, so I don't
understand why bind timeouts the edns query, so, I'm wondering, what
is the timeout for a edns query, could I change this value to a custom
one, why dig can do edns queries, and why bind can't do it, and says
timeouts and disable this, I know edns is important for the next step
to use dnssec, but if dig can do it, why binds timeouts???
Any ideas..
Best regards, Aliet