9.2.5 db causes high cpu? was: Re: BIND 9.2.5rc1 is now available.

Brad Knowles brad at stop.mail-abuse.org
Mon Feb 21 10:13:03 UTC 2005 

At 3:13 AM +0100 2005-02-21, Stefan Schmidt wrote:

>  If by OP you reference to me as being an Operator and bringing this issue to
>  the lists attention, yes, that is true for this resolver-cluster.

	Sorry, my bad.  OP == Original Poster.

>  Perhaps it is possible to make BIND9 modular so that at compiletime one can
>  choose whether to have either a recursor, an authorative-only daemon or both
>  and make it possible to decide whether we need nifty things like views or not
>  on this instance.

	I don't think I'd make this a compile-time option.  One of the 
good things about BIND is that it is capable of running both 
authoritative and recursive services on the same process/IP address.

	Many years ago, I recommended that people run split servers, 
where you had recursive-only servers on one set of machines and 
authoritative-only servers on another set, and you would not try to 
mix the two services.  But there are some cases where people are 
running machines in environments where the number of systems 
available to them are limited, or where the number of IP addresses 
are limited, and if you have a server like Nominum ANS or Nominum CNS 
that is only capable of handling one job or the other but not both, 
then you're screwed.

	BIND allows you to handle non-optimal situations like this.  Some 
other servers don't.  I consider this a key advantage of BIND.


	However, this does tend to lead people to misconfigure their BIND 
servers, so I think it would be a good idea for future versions of 
BIND to come up in a "default secure" mode.  Whereby, if you 
configure your server to be authoritative for any zones beyond the 
standard ones for "0.0.127.in-addr.arpa." and "localhost.", then the 
server should refuse to perform recursion.  Likewise, if you 
configure the server to handle recursion, then it should refuse to 
answer queries from outside your network, and any other things that 
are normally appropriate for recursive-only servers.

	In other words, instead of making recursive-only or 
authoritative-only compile-time options, instead make them default 
operational modes which are automatically detected and implemented by 
the software, but allow people to explicitly configure their server 
so as to provide both functions, if they do the right "wave a dead 
chicken" dance.

>  I followed Jinmei's recommendation of disabling threads and trying 
>to run just
>  one BIND9 process at first. So i am currently measuring 2 BIND8 processes
>  against 1 BIND9 process on two identical machines.

	With threading disabled on the BIND9 process, so it should be 
significantly slower than the two BIND8 processes, but at least you 
should get a clearer picture as to what else is going on.

>                                                     Before that i switched the
>  machine in question from running 2 BIND8 processes to 1 BIND9 processes but
>  with threading enabled.

	Which would be the normal operating mode to be expected on an SMP 
machine, and where the one BIND9 process should theoretically come 
pretty close to the performance of the pair of BIND8 processes on the 
other machine.

>                          Therefore is was not comparing a threading BIND9 with
>  a single BIND8 process (yet).

	Understood.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-workers mailing list