BIND 9.2.3, large zone xfer and 100% CPU Utilization
John A. Stewart
jstewart at ccs.carleton.ca
Fri Apr 23 19:08:42 UTC 2004
In <c692n2$22bk$1 at sf1.isc.org> rainchik at mail.ru (Alex Rainchik) writes:
>Hello,
>We are using BIND 9.2.3 on Solaris8, transfering ~45Mb zone from mail-abuse.com
>every three hours, as they don't support IXFR feature. The issue we have is that
>at the end of the transfer "named" goes berserk and CPU utlilization goes trough
>the roof, up to 100% for about 5-10 minutes.
>During those 5-10 minutes "named" does not respond to any queries, "rdnc status"
>does not work either. It's the only zone xfer running at that time....
We were stumped with the same problem for a while. Our first attempt at
solving the problem was to move dns service to a dedicated machine. That
helped, but there was still a window after the zone transfer had completed
where the dns server would not respond.
What we do now is
1) We have two BIND daemons that only handle the RBL+ zone. One server
transfers the zone from mail-abuse.com while the other server transfers
the zone from the first server. This ensures that one of the servers
will always be able to respond since the two servers will never be
trying to apply a zone update simulataneously.
2) We have two bind daemons that are used by our client machines to handle
dns queries and that are authoritative for all our domains. These
servers forward RBL+ lookups to the two dns servers that carry the
RBL+ zone. As I explained in 1), one of these two servers should always
be able to respond immediately. To restrict who can access RBL+ data
as per our contract with mail-abuse.org we need to use the view
facility in BIND.
3) Physically, we have two machines running dns services. Each machine
runs two BIND daemons (one general purpose and one RBL+ only). Of
course, the second BIND daemon has to be bound to a separate virtual
interface.
4) The RBL+ BIND daemon is a memory hog. It uses around 400MB of virtual
memory versus only 100 to 200MB for the general purpose DNS server.
Memory consumption was roughly twice as high before we thought to
recompile BIND as 32bit application.
Here is the core section of the named.conf file from one of our general
dns servers. zones.conf is a file containing all the zones that are common
to both the internal and global view.
view "internal" {
match-clients { 134.117/16; };
zone "rbl-plus.mail-abuse.org" {
type forward;
forwarders { 134.117.1.12; 134.117.1.13; };
};
include "zones.conf";
};
view "global" {
match-clients { any; };
zone "rbl-plus.mail-abuse.org" {
type master;
file "/dev/null";
};
include "zones.conf";
};
--
John Stewart -- Computing and Communications Services, Carleton University
Internet: jstewart at ccs.carleton.ca 613-520-2600x3707
"measure twice, cut once"
More information about the bind-users
mailing list