On Sun, May 19, 2019 at 10:55:53PM +0200, Peter V wrote:
> Hi all,
>
> I would like to get opinion on issue I was involved over weekend.
> Customer utilizes RPZ feed from spamhaus and worked pretty OK for some
> months after initial deployment.
> They reported issue with wrong performance of BIND DNS;
> BIND version: 9.10.8-P1
BIND 9.11 and below can't sometimes keep up with Spamhaus's feeds (their
rate of change) without significant tuning. RPZ in BIND 9.11
(non-subscription open source version) and below updates its summary
datastructures synchronously along with policy zone updates that causes
severe lock contention with the query path. With Spamhaus feeds, updates
can be almost continuous with no relief.
BIND 9.12+ mitigates this somewhat by refactoring the RPZ summary
datastructure update path so it doesn't happen synchronously with the
RPZ zone updates, albeit with some differences (esp. for the typical
Spamhaus feeds' users - changes from RPZ feeds are visible every 60s in
the default configuration). You may want to try BIND 9.12+ to see if it
helps your case.
(An alternative on BIND 9.10 is to try if forcing AXFR by using
"request-ixfr no;" helps. This uses different codepaths within named
that could reduce some lock contention - however, it would behave poorly
with Spamhaus's feeds which are quite large. At least the transfer rate
would have to be limited somehow, and I know that it hasn't helped for
some users.)
This is an elaborate topic more than just RPZ.
Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
