High load on BIND DNS and query timeouts after RPZ XFR retrieve
Mukund Sivaraman
muks at mukund.org
Mon May 20 13:26:32 UTC 2019
On Sun, May 19, 2019 at 10:55:53PM +0200, Peter V wrote:
> Hi all,
>
> I would like to get opinion on issue I was involved over weekend.
> Customer utilizes RPZ feed from spamhaus and worked pretty OK for some
> months after initial deployment.
> They reported issue with wrong performance of BIND DNS;
> BIND version: 9.10.8-P1
BIND 9.11 and below can't sometimes keep up with Spamhaus's feeds (their
rate of change) without significant tuning. RPZ in BIND 9.11
(non-subscription open source version) and below updates its summary
datastructures synchronously along with policy zone updates that causes
severe lock contention with the query path. With Spamhaus feeds, updates
can be almost continuous with no relief.
BIND 9.12+ mitigates this somewhat by refactoring the RPZ summary
datastructure update path so it doesn't happen synchronously with the
RPZ zone updates, albeit with some differences (esp. for the typical
Spamhaus feeds' users - changes from RPZ feeds are visible every 60s in
the default configuration). You may want to try BIND 9.12+ to see if it
helps your case.
(An alternative on BIND 9.10 is to try if forcing AXFR by using
"request-ixfr no;" helps. This uses different codepaths within named
that could reduce some lock contention - however, it would behave poorly
with Spamhaus's feeds which are quite large. At least the transfer rate
would have to be limited somehow, and I know that it hasn't helped for
some users.)
This is an elaborate topic more than just RPZ.
Mukund
More information about the bind-users
mailing list