BIND 9.11.0 RPZ performance issue
muks at isc.org
Tue Oct 18 07:26:41 UTC 2016
On Tue, Oct 18, 2016 at 09:08:37AM +0200, Daniel Stirnimann wrote:
> It currently looks like that only having the spamhaus rpz zones active
> causes the occasional timeouts. Maybe it's related to the zone size as
> dbl.rpz.spamhaus.org is quite large. If i/o performance on the virtual
> hosts turn out to be a problem then masterfile-format map; looks not
> like a good solution as this increases the zone file on disk by a factor
> of about 4.
Firstly, RPZ in BIND 9.9 (vanilla) is broken, unmaintained and should
not be used by anyone. If you know people using BIND 9.9 (vanilla) for
RPZ, please ask them to upgrade to 9.10 at least. RPZ in 9.9
subscription branch is OK.
We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some
trouble due to a less than desirable design / implementation of RPZ in
BIND. We have a plan to refactor the RPZ implementation for 9.12 to
remove these inefficiencies.
As a workaround, may I suggest using AXFR for policy zone transfers to
see if that helps you, also ratelimiting the transfers to occur less
frequently than the rate of notifies you get for the policy zone. AXFR
transfer is actually more expensive than IXFR, but under the hood, it
avoids some contention that occurs with IXFR (updates) vs. queries to
the same zone in the query path. AXFR will not be able to keep up with
the rapid churn in the dbl.rpz.spamhaus.org, so you'll have to ratelimit
If this doesn't help, please contact me off this list and we'll follow
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the bind-users