<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Well I meant you can run docker containers inside a vm with qemu
emulated hardware, that'd be the bad scenario ...you're right
containers on bare-metal have full visibility of the Instruction
set<br>
</p>
<div class="moz-cite-prefix">On 23/07/2025 15:19, Ondřej Surý wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1C7FCEEE-6109-4A55-A446-A504624E6E54@isc.org">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Docker/Podman is just a container, not *-virtualization platform,
so there’s full access to the underlying hardware.<br
id="lineBreakAtBeginningOfSignature">
<div dir="ltr">
<div>--</div>
Ondřej Surý — ISC (He/Him)
<div><br>
</div>
<div>My working hours and your working hours may be different.
Please do not feel obligated to reply outside your normal
working hours.</div>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On 23. 7. 2025, at 15:10, Carlos
Horowicz via bind-users <a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<p>
<style></style></p>
<p class="p1">I’m not sure if a container will pass through
the CPU instruction set required to leverage hardware
acceleration on newer (or even not-so-new) Intel processors.
In KVM, for example, you have to enable it explicitly.</p>
<p class="p1">One way to check for supported instructions is:</p>
<p>grep -o -w
'aes\|sha_ni\|pclmulqdq\|rdseed\|rdrand\|avx\|avx2\|avx512'
/proc/cpuinfo | sort | uniq</p>
<p> </p>
<p class="p1">Hardware acceleration can be beneficial if
you’re running a resolver that performs a lot of DNSSEC
validation—<span class="s1">SHA_NI</span> in particular can
speed up operations involving DS/NSEC/NSEC3 records. That
said, if you’re only running an authoritative server or a
small-scale resolver, crypto acceleration may not be
critical.</p>
<p class="p1">Fwiw, my preferred distro for running BIND9 is
Debian 12—it includes <span class="s1">dnstap</span>
support out of the box.</p>
<p>
<style>@font-face { font-family: "Cambria Math"; }@font-face { font-family: Aptos; }@font-face { font-family: "Segoe UI"; }p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 8pt; line-height: 115%; font-size: 12pt; font-family: Aptos, sans-serif; }.MsoChpDefault { font-family: Aptos, sans-serif; }.MsoPapDefault { margin-bottom: 8pt; line-height: 115%; }div.WordSection1 { page: WordSection1; }</style></p>
<div class="moz-cite-prefix">On 23/07/2025 14:57, Marc wrote:<br>
</div>
<blockquote type="cite"
cite="mid:92f82a6c9fbb4f9c96a6b96f3c7f5251@f1-outsourcing.eu">
<pre wrap="" class="moz-quote-pre">Maybe consider running it in a container and keeping nice and small with alpine linux
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">I'd like to migrate from bind 9.11 lo last version.
This service is acting as cache dns server and It' running on Centos 7
server, what Linux distro do you suggest me for new Bind?
</pre>
</blockquote>
</blockquote>
<span>-- </span><br>
<span>Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list</span><br>
<span></span><br>
<span>ISC funds the development of this software with paid
support subscriptions. Contact us at
<a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.</span><br>
<span></span><br>
<span></span><br>
<span>bind-users mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
</div>
</blockquote>
</blockquote>
</body>
</html>