BIND 9.11.0 RPZ performance issue

Mukund Sivaraman muks at isc.org
Tue Oct 18 08:48:01 UTC 2016


Hi Phil

On Tue, Oct 18, 2016 at 09:15:45AM +0100, Phil Mayers wrote:
> On 18/10/16 08:26, Mukund Sivaraman wrote:
> 
> > We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some
> > trouble due to a less than desirable design / implementation of RPZ in
> > BIND. We have a plan to refactor the RPZ implementation for 9.12 to
> > remove these inefficiencies.
> 
> Can you share some details on that? Because I've reported issues triggered
> by an XFR of a large RPZ, specifically the Spamhaus DBL, and I've been
> variously pooh-poohed and/or told "no-one else has ever reported that".

That should not happen (the pooh-poohing). Please let me know the
details of this. Every report is looked at esp. when it is accompanied
by details (logs, config summary, technical description of the problem,
etc.).

> I'm particularly interested if you're aware of a failure mode where
> CPU usage can spike MASSIVELY during a large-ish IXFR and cause named
> to start dropping queries.

I can't quantify "MASSIVELY" or "failure mode", but in general, yes
there is a known regression in query and transfer performance specific
to a configuration where RPZ is used and its policy zone is involved in
an IXFR, during the transfer. (This problem was discovered a few months
ago due to a customer's report.) Specifically, the Spamhaus DBL is one
such zone which we have heard problem reports for.

Please provide details of the problems you've faced, even if this is not
related to RPZ.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161018/d4261d92/attachment.bin>


More information about the bind-users mailing list