Hi Daniel On Tue, Oct 18, 2016 at 09:08:37AM +0200, Daniel Stirnimann wrote: > It currently looks like that only having the spamhaus rpz zones active > causes the occasional timeouts. Maybe it's related to the zone size as > dbl.rpz.spamhaus.org is quite large. If i/o performance on the virtual > hosts turn out to be a problem then masterfile-format map; looks not > like a good solution as this increases the zone file on disk by a factor > of about 4.
Firstly, RPZ in BIND 9.9 (vanilla) is broken, unmaintained and should not be used by anyone. If you know people using BIND 9.9 (vanilla) for RPZ, please ask them to upgrade to 9.10 at least. RPZ in 9.9 subscription branch is OK. We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some trouble due to a less than desirable design / implementation of RPZ in BIND. We have a plan to refactor the RPZ implementation for 9.12 to remove these inefficiencies. As a workaround, may I suggest using AXFR for policy zone transfers to see if that helps you, also ratelimiting the transfers to occur less frequently than the rate of notifies you get for the policy zone. AXFR transfer is actually more expensive than IXFR, but under the hood, it avoids some contention that occurs with IXFR (updates) vs. queries to the same zone in the query path. AXFR will not be able to keep up with the rapid churn in the dbl.rpz.spamhaus.org, so you'll have to ratelimit it too. If this doesn't help, please contact me off this list and we'll follow up. Mukund
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list email@example.com https://lists.isc.org/mailman/listinfo/bind-users