BIND 9.11.0 RPZ performance issue

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon Oct 17 13:01:44 UTC 2016


Hi,

I have upgraded some of our BIND resolvers from BIND 9.9.9-P3 to BIND
9.11.0 and I notice timeouts for 3 - 5 seconds about every 1 to 5 hour.

I have managed to trace this back to our RPZ configuration. I have 14
RPZ zones configured. Some of them are quite large (e.g. Spamhaus). The
only work around for this timeout issue I came up with so far is to
remove two large Spamhaus RPZ zones which leaves my configuration at 12
zones. Removing one or two smaller zones does not help though.

The timeout does not occur during/after XFR of a zone. I also tried to
optimize the zone format and journal size (e.g. masterfile-format map;
max-journal-size 100M;) as I believed this could be a filesystem
performance issue but this change did not help. It is important to
mention that our BIND resolvers are virtualized. However, I have two
virtualization stacks to try out and both (Openstack, KVM) have this
problem. How busy a resolver is plays no role. I see this timeout issue
on an almost idle (only monitoring requests) resolver as well although
at a slightly lower frequency.

There is no log event (BIND/linux) which indicates a problem. I believed
RPZ performance would only get better after upgrading but apparently,
there is some change which makes performance worse.

Has anyone else noticed RPZ performance issues with BIND 9.11.0 and do
you have any suggestions? Appended a slightly obfuscated configuration
of ours).

Daniel
-------------- next part --------------
options {
	directory "/var/named/slaves";
	listen-on port 53 {
		"any";
	};
	listen-on-v6 port 53 {
		"any";
	};
	pid-file "/var/run/named/named.pid";
	auth-nxdomain no;
	dnssec-enable yes;
	dnssec-validation yes;
	empty-zones-enable yes;
	recursion yes;
	allow-query {
		"SWITCHlan";
	};
	allow-transfer {
		"none";
	};
	max-journal-size 104857600;
	notify no;
};
controls {
	inet 127.0.0.1 allow {
		127.0.0.1/32;
	} keys {
		"rndc-key";
	};
	inet ::1 allow {
		::1/128;
	} keys {
		"rndc-key";
	};
};
acl "SWITCHlan" {
	?????????;
};
masters "switch-rpz-master" {
	????????? key "rpz-xfr.switch.ch.";
	????????? key "rpz-xfr.switch.ch.";
};
logging {
	channel "switch_local" {
		file "/var/log/named/named" versions 10 size 6291456;
		severity info;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
	channel "switch_queries" {
		file "/var/log/named/queries" versions 10 size 83886080;
		severity info;
		print-time yes;
	};
	channel "switch_queryerrors" {
		file "/var/log/named/queryerrors" versions 2 size 52428800;
		severity debug 1;
		print-time yes;
	};
	channel "switch_syslog" {
		syslog "local1";
		severity info;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
	channel "switch_syslog-debug" {
		syslog "local1";
		severity debug 1;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
	channel "switch_other" {
		file "/var/log/named/other" versions 10 size 6291456;
		severity info;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
	channel "switch_rpz_local" {
		file "/var/log/named/rpz" versions 10 size 10485760;
		severity info;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
	category "general" {
		"switch_local";
	};
	category "notify" {
		"switch_local";
	};
	category "xfer-in" {
		"switch_local";
	};
	category "xfer-out" {
		"switch_local";
	};
	category "network" {
		"switch_local";
	};
	category "dnssec" {
		"switch_syslog";
		"switch_local";
	};
	category "rpz" {
		"switch_rpz_local";
	};
	category "default" {
		"switch_other";
	};
	category "query-errors" {
		"switch_queryerrors";
		"switch_syslog-debug";
	};
};
view "default" {
	match-destinations {
		"any";
	};
	zone "localhost" {
		type master;
		file "/etc/bind/db.local";
		masterfile-format text;
	};
	zone "zone.1.rpz.switch.ch." {
		type slave;
		file "zone.1.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "zone.2.rpz.switch.ch." {
		type slave;
		file "zone.2.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "zone.3.rpz.switch.ch." {
		type slave;
		file "zone.3.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "zone.4.rpz.switch.ch." {
		type slave;
		file "zone.4.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "zone.5.rpz.switch.ch." {
		type slave;
		file "zone.5.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "zone.6.rpz.switch.ch." {
		type slave;
		file "zone.6.rpz.switch.ch.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.1.example.com." {
		type slave;
		file "rpz.1.example.com.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.2.example.com." {
		type slave;
		file "rpz.2.example.com.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.3.example.com." {
		type slave;
		file "rpz.3.example.com.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.1.example.org" {
		type slave;
		file "rpz.1.example.org.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.2.example.org" {
		type slave;
		file "rpz.2.example.org.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.3.example.org" {
		type slave;
		file "rpz.3.example.org.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.4.example.org" {
		type slave;
		file "rpz.4.example.org.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	zone "rpz.5.example.org" {
		type slave;
		file "rpz.5.example.org.db";
		masters {
			"switch-rpz-master";
		};
		allow-query {
			"none";
		};
	};
	response-policy {
		zone "zone.1.rpz.switch.ch." policy passthru;
		zone "zone.2.rpz.switch.ch." policy given;
		zone "zone.3.rpz.switch.ch." policy passthru;
		zone "zone.4.rpz.switch.ch." policy cname "landingpage.rpz.switch.ch";
		zone "zone.5.rpz.switch.ch." policy cname "landingpage.rpz.switch.ch";
		zone "zone.6.rpz.switch.ch." policy cname "landingpage.rpz.switch.ch";
		zone "rpz.1.example.com." policy cname "landingpage.rpz.switch.ch";
		zone "rpz.2.example.com." policy cname "landingpage.rpz.switch.ch";
		zone "rpz.3.example.com." policy cname "landingpage.rpz.switch.ch";
		zone "rpz.1.example.org" policy passthru;
		zone "rpz.2.example.org" policy passthru;
		zone "rpz.3.example.org" policy passthru;
		zone "rpz.4.example.org" policy passthru;
		zone "rpz.5.example.org" policy passthru;
	} break-dnssec yes;
	masterfile-format map;
};
statistics-channels {
	inet 127.0.0.1 port 8053 allow {
		127.0.0.1/32;
	};
	inet ::1 port 8053 allow {
		::1/128;
	};
};
key "rndc-key" {
	algorithm "hmac-md5";
	secret "????????????????????????";
};
key "rpz-xfr.switch.ch." {
	algorithm "HMAC-SHA256";
	secret "????????????????????????????????????????????";
};
server 0.0.0.0/8 {
	bogus yes;
};
server 10.0.0.0/8 {
	bogus yes;
};
server 100.64.0.0/10 {
	bogus yes;
};
server 127.0.0.0/8 {
	bogus yes;
};
server 169.254.0.0/16 {
	bogus yes;
};
server 172.16.0.0/12 {
	bogus yes;
};
server 192.0.0.0/24 {
	bogus yes;
};
server 192.0.2.0/24 {
	bogus yes;
};
server 192.88.99.0/24 {
	bogus yes;
};
server 192.168.0.0/16 {
	bogus yes;
};
server 198.18.0.0/15 {
	bogus yes;
};
server 198.51.100.0/24 {
	bogus yes;
};
server 203.0.113.0/24 {
	bogus yes;
};
server 224.0.0.0/3 {
	bogus yes;
};
server ::/3 {
	bogus yes;
};
server 2001::/32 {
	bogus yes;
};
server 2001:2::/48 {
	bogus yes;
};
server 2001:10::/28 {
	bogus yes;
};
server 2001:db8::/32 {
	bogus yes;
};
server 2002::/16 {
	bogus yes;
};
server 3000::/4 {
	bogus yes;
};
server 4000::/2 {
	bogus yes;
};
server 8000::/1 {
	bogus yes;
};
managed-keys {
	"dlv.isc.org." initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
		TDN0YUuWrBNh";
	"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
		QxA+Uk1ihz0=";
};


More information about the bind-users mailing list