Re: Recommended value for max-cache-size for cache-only shared hosts..
It's really something you'll have to set, and monitor. I'd start with 1 GB, and see how close it gets to that in (say) a week. If it takes a few hours, you might need to go up to 2 or 4, and see how that works. It may never hit the memory limit. Also note that there is 10% to 20% overhead, so if you set a 1 GB limit, it's really more like a 1.1GB to 1.2GB limit. This is because the cache is not the only thing that uses memory, of course, and the limit is only for the cache. Remember that the cache is only used as a cache, and is not required for operation. Technically, BIND 9 could run with a very, very small cache. The default of 32 MB is actually a fairly new thing. It used to be unlimited, but that means BIND will hit some operating system imposed limit, and that is more painful than self-management. --Michael On Jun 1, 2012, at 12:26 AM, blr maani wrote: Doug, hmmm.. 75%-85% seems too large because the host runs email application in addition to cache-and-forward-only BIND (for better local caching). So, I was wondering if there are any best/proven practice/recommendations for such shared application hosts ? The default value is 32MB. We have 8GB RAM. I don't know if its better to start with 1GB (1/8th of RAM)? thanks blr On Thu, May 31, 2012 at 8:17 PM, Michael Graff mgr...@isc.org wrote: Hmm, I don't quite think this is a good idea. BIND 9 (since 9.5) manages memory quite well, but it will happily consume all you have and go into swap. I'd set it high enough (on a dedicated machine) to use plenty of RAM, but low enough to not cause other OS components to swap out or BIND itself to swap. 75% or 85% range seems like a good starting point. --Michael On May 31, 2012, at 8:18 PM, Doug Barton wrote: On 5/31/2012 1:51 PM, blrmaani wrote: Question: what is the recommended configuration for 'max-cache-size' for optimum usage ? You should not restrict the size of the cache at all if you want the best performance. BIND will use as much memory as it needs in order to satisfy the requests of your users. -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On 05/31/2012 22:26, blr maani wrote: Doug, hmmm.. 75%-85% seems too large because the host runs email application in addition to cache-and-forward-only BIND (for better local caching). So get more RAM, or split your services onto multiple systems. Yes, I realize that may not be possible for financial reasons, but you asked about *optimum* performance. The cache is there for a reason. One thing that can help is to set the cleaning interval more aggressively, but that can also cause performance problems for your clients if you are CPU bound, so use that option with care, and monitor the results after a change. So, I was wondering if there are any best/proven practice/recommendations for such shared application hosts ? Yes, don't do that. :) Doug -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On Jun 1 2012, Michael Graff wrote: [...] The default of 32 MB is actually a fairly new thing. Surely the default went back to 0 (effectively unlimited) long ago? 2253. [func] max-cache-size defaults to 32M. max-acache-size defaults to 16M. got into BIND 9.5.0, but 2457. [tuning]max-cache-size is reverted to 0, the previous default. It should be safe because expired cache entries are also purged. [RT #18684] was there before 9.5.1, and AFAICS it has been like that ever since. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On 31.05.12 22:26, blr maani wrote: hmmm.. 75%-85% seems too large because the host runs email application in addition to cache-and-forward-only BIND (for better local caching). So, I was wondering if there are any best/proven practice/recommendations for such shared application hosts ? The default value is 32MB. We have 8GB RAM. I don't know if its better to start with 1GB (1/8th of RAM)? I was thinking of this when the default was changed to 32M. I changed it intentionally to 0 to see how much will memory usage grow. I can tell you that on one of our servers where named uses most memory, it currently uses 1359868 VSZ and 732852 RSS after 38 days with ~432 queries per second. I have even increased max-ttl and max-negative-ttl to see if it affects memory usage. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
At Fri, 01 Jun 2012 03:27:22 -0700, Doug Barton do...@dougbarton.us wrote: One thing that can help is to set the cleaning interval more aggressively, but that can also cause performance problems for your clients if you are CPU bound, so use that option with care, and monitor the results after a change. cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On Fri, Jun 01, 2012 at 01:11:48PM -0700, JINMEI Tatuya / ?$B?@L@C#:H wrote: At Fri, 01 Jun 2012 03:27:22 -0700, cleaning interval has been effectively no-op since BIND 9.5. Tweaking it won't improve performance, although it shouldn't cause a bad effect either. If your cache is too small the CPU will peg when the cleaning-interval goes. Maybe that's changed but the behavior still exists in the 9.7 branch. Setting your cache size really depends on your query load. On a resolver doing 15,000/qps having a cache of 256M will cause a problem during the cleaning-interval whereas if it's 2G you won't notice the interval at all. Also on a busy resolver expect BIND to use about twice as much as where you set your limits. Dan -- Daniel Mason Senior Engineer CenturyLink, Inc. Internal Use Only - Disclose and distribute only to CenturyLink employees and authorized persons working for CenturyLink. Disclosure outside of CenturyLink is prohibited without authorization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.9.x operation with dnssec
I'm a little confused wading through the massive amount of detail about dnssec, and have two main questions: 1. General key management 2. Specific problems with my test domain setup (raindrop.us) For general key management: With auto-dnssec maintain, I expect the Zone Signing Keys and the individual RRSIGs to be completely managed and rotated as needed by bind, per https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html and the Admin Reference, however, at the end of 4.9.7, it says: By default, this rollover completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset. This implies that I'm going to have to go in and do housekeeping in the keys directory, though I'm not sure when - I set this up in early March (according to the key activation comments - who remembers details that far back? ;-) ) and they haven't rotated yet... I found some other tools based around rollerd, but I think that's intended for managing pre-9.9.x keys, as it seems to assume a slightly different key structure with .krf files in the zone file directory. When it comes to the DS records registered at the registrar, I'm not sure where that comes from: the only way I can see to get it is to do a DS query from the nameserver (and at least one document basically said that). First, I'd like to know where it comes from, and second, it seems much too small, given ksks are supposed to be bigger as a result of being longer lived: raindrop.us.1903IN DS 41190 5 2 C2927E697D868DB1AEF54642E9B59079CF5412AAA36846290AB20215 9CBAFBEA vs raindrop.us.3600IN DNSKEY 256 3 5 AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV When it comes time to roll the DS key, it looks like I pick a lifetime, say 3 months, generate a new DS key (how, such that 9.9.x will use it? rndc sign zone seems like the way, but that looks like it will take effect immediately; rndc loadkeys zone says it will update keys without signing immediately, which looks good, will sign zone then use those keys later?), add it at the registrar, wait the ttl, then tell bind to switch (again, how?) As for specific problems: I have bind 9.9.1 setup and the zones configured with: key-directory /var/named/keys; auto-dnssec maintain; inline-signing yes; This is a Slave server, hidden master per example 2 in https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html /var/named/keys appears to have the zone signing keys/DNSKEY records. /var/named/slaves have the .signed files with RRSIG records, presumably signed with the zsks in the keys directory. Next, I have a DS record configured at my registrar obtained with dig from my nameserver, but that doesn't seem to be right, as http://dnsviz.net/d/raindrop.us/dnssec/ and http://dnssec-debugger.verisignlabs.com/raindrop.us both complain about the link from the parent to my nameserver in the chain. dnsviz just says bogus without explaining what's bogus (though RFC4641 4.2 implies that the keys *have* rolled somehow, without the registrar being updated); verisign says it couldn't get a dnskey rr from the nameservers, though I can: # dig @ns1.raindrop.us dnskey raindrop.us ... ;; ANSWER SECTION: raindrop.us.3600IN DNSKEY 256 3 5 AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV # dig @ns2.raindrop.us dnskey raindrop.us ... ;; ANSWER SECTION: raindrop.us.3600IN DNSKEY 256 3 5 AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV Somehow, I think the DS isn't matching the DNSKEYs, causing them to be rejected, but since bind generated both, I would hope it's internally consistent... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
