[Date Prev][Date Next]
Re: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS
- From: firstname.lastname@example.org
- Date: Thu, 14 Sep 2017 19:38:52 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> I'm seeing a significant delay (32s) when setting
> `LDAP_OPT_X_TLS_REQUIRE_CERT` with unreachable DNS servers in
> resolv.conf. We initially discovered the issue in 2.4.42
> although I've confirmed it is present in 2.4.45. AFAIK it is
> not present in 2.4.23.
I assume you see a delay at the client-side.
Are you sure that it is not something caused by the TLS library
updated in the mean-time? Which one is used by the client?
You should re-test with server certs without any URLs (AIA, CRLDP
extensions etc.) which might be accessed by your TLS lib.
You could also monitor the DNS traffic. Some resolvers allow to
switch on query logging. Or tcpdump or similar.
And BTW: The most likely answer is that your resolver should
always be up and running. Sometimes a local caching resolver helps
to overcome upstream resolver outage.