[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8735) Significant delay setting LDAP_OPT_X_TLS_REQUIRE_CERT with invalid DNS

sean.haugh@vertivco.com wrote:
> I'm seeing a significant delay (32s) when setting
> `LDAP_OPT_X_TLS_REQUIRE_CERT` with unreachable DNS servers in
> resolv.conf. We initially discovered the issue in 2.4.42
> although I've confirmed it is present in 2.4.45. AFAIK it is
> not present in 2.4.23.

I assume you see a delay at the client-side.

Are you sure that it is not something caused by the TLS library 
updated in the mean-time? Which one is used by the client?

You should re-test with server certs without any URLs (AIA, CRLDP 
extensions etc.) which might be accessed by your TLS lib.

You could also monitor the DNS traffic. Some resolvers allow to 
switch on query logging. Or tcpdump or similar.

And BTW: The most likely answer is that your resolver should 
always be up and running. Sometimes a local caching resolver helps 
to overcome upstream resolver outage.

Ciao, Michael.