Package: libunbound8 Version: 1.13.1-1 Severity: normal Hi,
We were investigating a performance regression in production that crept in at some point (we noticed by accident that something had become very slow and started investigating). It turns out the culprit was libunbound; we do a series of DNS lookups against localhost using ub_resolve(), and each of them now takes a bit over 6 ms, which is huge for sending a UDP packet and getting an answer from cache. It turns out that some of this is because libunbound in Debian is now built against libnettle (it wasn't when we built the system). The libnettle code in util/random.c goes through a very slow reseeding phase; and worse, it does it for both creating a context (we create a new one for each call, because Reasons(TM)) and for each and every query (because ub_resolve() starts its own worker, which reseeds). This reseeding is responsible for 60% of the CPU usage or so, according to perf. According to pkg-config --libs libunbound, it seems one links to OpenSSL anyway, so perhaps the simplest solution is to stop linking against libnettle? Optionally, one can use getentropy() (which calls getrandom()) unconditionally on Linux, at least with modern kernels. Doing the latter, and also reusing contexts (which is a pain for us, and I don't think we had to do it before?) takes it down to a more reasonable 0.5 ms. -- System Information: Debian Release: 11.2 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.12 (SMP w/40 CPU threads; PREEMPT) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libunbound8 depends on: ii libc6 2.31-13+deb11u2 ii libevent-2.1-7 2.1.12-stable-1 ii libgmp10 2:6.2.1+dfsg-1+deb11u1 ii libhogweed6 3.7.3-1 ii libnettle8 3.7.3-1 libunbound8 recommends no packages. libunbound8 suggests no packages. -- debconf-show failed
