Re: BIND -P2 update plans (Was: Re: The BIND scandal)




Thank you for the kind words. :)

Since this update is performance related rather than directly security related I plan to give people a chance to update from ports and provide feedback before I update the base in HEAD and [67]-stable. So if you run a busy resolving name server, especially if you were having problems with -P1, then please let me know how -P2 works for you.


Doug

Hello,

I'd also like to thank you for updating the port so fast, I was hoping for sometime during the weekend, and was pleasantly surprised to see it available so fast.

I've posted to the bind-users list to say this, but to confirm here: On 7-STABLE from a few weeks ago on a couple of busy recursive servers, this patch made an extreme positive difference. I was having problems with constant timeouts, very slow recursive lookups when they did work, and frequent errors about too many open files or somesuch in messages (regardless of kern.maxfiles and FD_SETSIZE settings), all of this disappeared when I applied P2. Number of successful queries almost doubled the minute I restarted with the -P2 patch applied, no more slowness or timeouts.

This is the bind9.4 port by the way, 9.5 had even more weird errors and behaviour. I've since seen various sources claiming that 9.5 isn't ready for primetime on busy resolvers, so I'll wait for a while before moving on to 9.5.

For the record, I have compiled dns/bind94 with

make CFLAGS="-DFD_SETSIZE=65000" install clean

to avoid "too many open file descriptors" errors, but with this setting (and increasing kern.maxfiles with sysctl) everything seems to be running nicely. -P2 might have removed the need for increasing FD_SETSIZE but this works, and for now I'll leave it at that.

These servers have peak loads at around 1000 queries per second. They are both quad core 2-3ghz boxes with a couple of gigs of ram, and the cpu is around 50% utilized when the servers are busy.

If you need more information please let me know.

Best regards and thank you for all your work.

Thomas Rasmussen
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: [opensuse] Remote upgrade problem
    ... All my remote sites have serial console servers connected. ... CCM840 8 port, dedicated local console ...
    (SuSE)
  • Re: Blocking attacks from spoofed IP addresses
    ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
    (comp.os.linux.networking)
  • panic: page fault - 6.0-RELEASE-p7
    ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... ppc0: parallel port not found. ... unknown: can't assign resources (memory) ...
    (freebsd-questions)
  • Re: panic: page fault - 6.0-RELEASE-p7 (now 6.1-RC2)
    ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... It has shown that information before, and it has always been tcpserver from the ucspi-tcp-0.88_2 port. ... unknown: can't assign resources (memory) ...
    (freebsd-questions)
  • Is FreeBSD ready for desktop (Mozilla Flash)
    ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ...
    (comp.unix.bsd.freebsd.misc)