Re: High latency setting optimization

2018-05-25 Thread Eric Luehrsen via Unbound-users
On 05/25/2018 04:53 PM, Simon Deziel via Unbound-users wrote: Having a local copy of the root zone using the auth-zone feature (or on a local NSD) might help a little. On 2018-05-25 03:31 PM, Florian Lohoff via Unbound-users wrote: Hi, We are running multiple unbound caches behind very long

High latency setting optimization

2018-05-25 Thread Simon Deziel via Unbound-users
Having a local copy of the root zone using the auth-zone feature (or on a local NSD) might help a little. On 2018-05-25 03:31 PM, Florian Lohoff via Unbound-users wrote: > > Hi, > > We are running multiple unbound caches behind very long latency > sat links. We are seeing RTT of at least

Re: High latency setting optimization

2018-05-25 Thread Daisuke HIGASHI via Unbound-users
Hi, Forwarding all queries to other caching resolvers with low RTT to auth servers (e.g. your ISP's resolver or 8.8.8.8) should improve resolution time. But that wouldn't be optimal because Unbound chases CNAME chains even if it forwards all queries to other resolver [1]. For more performance

High latency setting optimization

2018-05-25 Thread Florian Lohoff via Unbound-users
Hi, We are running multiple unbound caches behind very long latency sat links. We are seeing RTT of at least 1000ms. Sometimes recursing times spike up to 20 Seconds. Is there an optimization guide on how to fine tune parameters for those situations? I have already seen jostle-timeout. I am

Re: Unbound 1.7.1 failing on some kvm servers

2018-05-25 Thread James Cloos via Unbound-users
> James Cloos via Unbound-users writes: > I have a number of kvm instances running debian where unbound 1.7.1 > fails. An LD_PRELOAD lib which implments getentropy(3) via read(3)ing urandom(4) solved the bug. Unbound *always* should fall back to urandom(4) when

Re: Tuning for survey workloads

2018-05-25 Thread Tony Finch via Unbound-users
W.C.A. Wijngaards via Unbound-users wrote: > If you do a lot of DNSKEY queries, the prefetch-key: yes option > prefetches the DNSKEY query when a referral is followed. Nice :-) Tony. -- f.anthony.n.finch http://dotat.at/ South Fitzroy:

Re: DNS over TLS not working

2018-05-25 Thread W.C.A. Wijngaards via Unbound-users
Hi Yuri, Yes in these traces, cloudflare and 9.9.9.9 work once, but not all the time. Something must be wrong in the calls that unbound makes. It seems that unbound does not reset the events for closed file descriptors, this makes the first one work, but others try to write when the fd is not

Re: DNS over TLS not working

2018-05-25 Thread W.C.A. Wijngaards via Unbound-users
Hi Yuri, And here is the same executable but with counting that will exclude addresses for which the connection doesn't establish. That would exclude all (except one), looking at the logs. open.nlnetlabs.nl/~wouter/unbound_rc45_fixnonestablishedtcp.exe (This is again unbound.exe, rename it to

Re: DNS over TLS not working

2018-05-25 Thread W.C.A. Wijngaards via Unbound-users
Hi Yuri, From the logs, it looks like the connections to quad9 and cloudflare all end, very quickly, with a tcperror. Some connections succeed, to quad9 at the 112. If you search for 'peer certificate' in the logs, you find those cases, and also that it works and returns an answer. It looks