BIND -P2 update plans (Was: Re: The BIND scandal)
Thomas Rasmussen
thomas at gibfest.dk
Mon Aug 4 16:38:19 UTC 2008
> Thank you for the kind words. :)
>
> Since this update is performance related rather than directly security
> related I plan to give people a chance to update from ports and
> provide feedback before I update the base in HEAD and [67]-stable. So
> if you run a busy resolving name server, especially if you were having
> problems with -P1, then please let me know how -P2 works for you.
>
>
> Doug
>
Hello,
I'd also like to thank you for updating the port so fast, I was hoping
for sometime during the weekend, and was pleasantly surprised to see it
available so fast.
I've posted to the bind-users list to say this, but to confirm here: On
7-STABLE from a few weeks ago on a couple of busy recursive servers,
this patch made an extreme positive difference. I was having problems
with constant timeouts, very slow recursive lookups when they did work,
and frequent errors about too many open files or somesuch in messages
(regardless of kern.maxfiles and FD_SETSIZE settings), all of this
disappeared when I applied P2. Number of successful queries almost
doubled the minute I restarted with the -P2 patch applied, no more
slowness or timeouts.
This is the bind9.4 port by the way, 9.5 had even more weird errors and
behaviour. I've since seen various sources claiming that 9.5 isn't ready
for primetime on busy resolvers, so I'll wait for a while before moving
on to 9.5.
For the record, I have compiled dns/bind94 with
make CFLAGS="-DFD_SETSIZE=65000" install clean
to avoid "too many open file descriptors" errors, but with this setting
(and increasing kern.maxfiles with sysctl) everything seems to be
running nicely. -P2 might have removed the need for increasing
FD_SETSIZE but this works, and for now I'll leave it at that.
These servers have peak loads at around 1000 queries per second. They
are both quad core 2-3ghz boxes with a couple of gigs of ram, and the
cpu is around 50% utilized when the servers are busy.
If you need more information please let me know.
Best regards and thank you for all your work.
Thomas Rasmussen
More information about the freebsd-security
mailing list