Re: BIND -P2 update plans (Was: Re: The BIND scandal)

Thank you for the kind words. :)

Since this update is performance related rather than directly security related I plan to give people a chance to update from ports and provide feedback before I update the base in HEAD and [67]-stable. So if you run a busy resolving name server, especially if you were having problems with -P1, then please let me know how -P2 works for you.



I'd also like to thank you for updating the port so fast, I was hoping for sometime during the weekend, and was pleasantly surprised to see it available so fast.

I've posted to the bind-users list to say this, but to confirm here: On 7-STABLE from a few weeks ago on a couple of busy recursive servers, this patch made an extreme positive difference. I was having problems with constant timeouts, very slow recursive lookups when they did work, and frequent errors about too many open files or somesuch in messages (regardless of kern.maxfiles and FD_SETSIZE settings), all of this disappeared when I applied P2. Number of successful queries almost doubled the minute I restarted with the -P2 patch applied, no more slowness or timeouts.

This is the bind9.4 port by the way, 9.5 had even more weird errors and behaviour. I've since seen various sources claiming that 9.5 isn't ready for primetime on busy resolvers, so I'll wait for a while before moving on to 9.5.

For the record, I have compiled dns/bind94 with

make CFLAGS="-DFD_SETSIZE=65000" install clean

to avoid "too many open file descriptors" errors, but with this setting (and increasing kern.maxfiles with sysctl) everything seems to be running nicely. -P2 might have removed the need for increasing FD_SETSIZE but this works, and for now I'll leave it at that.

These servers have peak loads at around 1000 queries per second. They are both quad core 2-3ghz boxes with a couple of gigs of ram, and the cpu is around 50% utilized when the servers are busy.

If you need more information please let me know.

Best regards and thank you for all your work.

Thomas Rasmussen
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"