sean.haugh@vertivco.com wrote:

I'm seeing a significant delay (32s) when setting `LDAP_OPT_X_TLS_REQUIRE_CERT` with unreachable DNS servers in resolv.conf. We initially discovered the issue in 2.4.42 although I've confirmed it is present in 2.4.45. AFAIK it is not present in 2.4.23.

I assume you see a delay at the client-side.

Are you sure that it is not something caused by the TLS library updated in the mean-time? Which one is used by the client?

You should re-test with server certs without any URLs (AIA, CRLDP extensions etc.) which might be accessed by your TLS lib.

You could also monitor the DNS traffic. Some resolvers allow to switch on query logging. Or tcpdump or similar.

And BTW: The most likely answer is that your resolver should always be up and running. Sometimes a local caching resolver helps to overcome upstream resolver outage.

Ciao, Michael.