9.2.5 db causes high cpu? was: Re: BIND 9.2.5rc1 is now available.
brad at stop.mail-abuse.org
Mon Feb 21 10:13:03 UTC 2005
At 3:13 AM +0100 2005-02-21, Stefan Schmidt wrote:
> If by OP you reference to me as being an Operator and bringing this issue to
> the lists attention, yes, that is true for this resolver-cluster.
Sorry, my bad. OP == Original Poster.
> Perhaps it is possible to make BIND9 modular so that at compiletime one can
> choose whether to have either a recursor, an authorative-only daemon or both
> and make it possible to decide whether we need nifty things like views or not
> on this instance.
I don't think I'd make this a compile-time option. One of the
good things about BIND is that it is capable of running both
authoritative and recursive services on the same process/IP address.
Many years ago, I recommended that people run split servers,
where you had recursive-only servers on one set of machines and
authoritative-only servers on another set, and you would not try to
mix the two services. But there are some cases where people are
running machines in environments where the number of systems
available to them are limited, or where the number of IP addresses
are limited, and if you have a server like Nominum ANS or Nominum CNS
that is only capable of handling one job or the other but not both,
then you're screwed.
BIND allows you to handle non-optimal situations like this. Some
other servers don't. I consider this a key advantage of BIND.
However, this does tend to lead people to misconfigure their BIND
servers, so I think it would be a good idea for future versions of
BIND to come up in a "default secure" mode. Whereby, if you
configure your server to be authoritative for any zones beyond the
standard ones for "0.0.127.in-addr.arpa." and "localhost.", then the
server should refuse to perform recursion. Likewise, if you
configure the server to handle recursion, then it should refuse to
answer queries from outside your network, and any other things that
are normally appropriate for recursive-only servers.
In other words, instead of making recursive-only or
authoritative-only compile-time options, instead make them default
operational modes which are automatically detected and implemented by
the software, but allow people to explicitly configure their server
so as to provide both functions, if they do the right "wave a dead
> I followed Jinmei's recommendation of disabling threads and trying
>to run just
> one BIND9 process at first. So i am currently measuring 2 BIND8 processes
> against 1 BIND9 process on two identical machines.
With threading disabled on the BIND9 process, so it should be
significantly slower than the two BIND8 processes, but at least you
should get a clearer picture as to what else is going on.
> Before that i switched the
> machine in question from running 2 BIND8 processes to 1 BIND9 processes but
> with threading enabled.
Which would be the normal operating mode to be expected on an SMP
machine, and where the one BIND9 process should theoretically come
pretty close to the performance of the pair of BIND8 processes on the
> Therefore is was not comparing a threading BIND9 with
> a single BIND8 process (yet).
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-workers