BIND 9.11.0 RPZ performance issue

Mukund Sivaraman muks at
Tue Oct 18 08:48:01 UTC 2016

Hi Phil

On Tue, Oct 18, 2016 at 09:15:45AM +0100, Phil Mayers wrote:
> On 18/10/16 08:26, Mukund Sivaraman wrote:
> > We know that IXFR with RPZ policy zones (esp. this DBL zone) causes some
> > trouble due to a less than desirable design / implementation of RPZ in
> > BIND. We have a plan to refactor the RPZ implementation for 9.12 to
> > remove these inefficiencies.
> Can you share some details on that? Because I've reported issues triggered
> by an XFR of a large RPZ, specifically the Spamhaus DBL, and I've been
> variously pooh-poohed and/or told "no-one else has ever reported that".

That should not happen (the pooh-poohing). Please let me know the
details of this. Every report is looked at esp. when it is accompanied
by details (logs, config summary, technical description of the problem,

> I'm particularly interested if you're aware of a failure mode where
> CPU usage can spike MASSIVELY during a large-ish IXFR and cause named
> to start dropping queries.

I can't quantify "MASSIVELY" or "failure mode", but in general, yes
there is a known regression in query and transfer performance specific
to a configuration where RPZ is used and its policy zone is involved in
an IXFR, during the transfer. (This problem was discovered a few months
ago due to a customer's report.) Specifically, the Spamhaus DBL is one
such zone which we have heard problem reports for.

Please provide details of the problems you've faced, even if this is not
related to RPZ.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list