9.2.5 db causes high cpu? was: Re: BIND 9.2.5rc1 is now available.

Paul Vixie paul at vix.com
Tue Feb 22 16:23:01 UTC 2005

> >  there is a lot of interest out there in persistent dns caching, and
> >  in what some people call "dns mirroring" that's really just a
> >  persistent dns cache with search/dump capability.  at some point
> >  BIND will have to support this, whether by SQL or DB or whatever
> >  means.
> 	Persistent DNS caching/mirroring is easily done by setting up a
> stealth secondary for the zone.  I've done that for some of the big
> black lists while working at various former employers.

that's precisely what i don't mean, though.  with dns mirroring, folks
are recovering zone-content without zone-transfer.  they do this by
running a persistent dns mirror in a place where it can see recursive
queries in large number.  (like on a mirror port on the same switch as,
or on a passive ethernet tap.)  the folks who do this are trying to get
zone-content when they are prevented from doing zone-transfer.

> 	I can hack a bit on things like scripts, and I can put together
> testing profiles that I consider to be reasonably decent.

tests are also a form of code.  bind9 has a moderately good regression
test suite but we would welcome improvements to it.  take a look?


> 	In terms of single queries, two copies of BIND 8 would be 
> somewhat faster than a single copy of BIND 9 (threaded or not), but 
> you would certainly get higher overall query throughput.  I proved 
> that with my LISA 2002 invited talk, where I compared BIND 8 against 
> BIND 9 and Nominum ANS and CNS, in both caching/recursive and 
> authoritative-only modes.

that was 2002.  any chance of you re-running those tests against 9.3.1,
using the internal memory allocator and jinmei's other recommendations?

> 	Retry logic and remote network delays will dominate the 
> performance of individual queries, that's true.  But peak throughput 
> and overall capacity are going to be greatly influenced by internal 
> architecture.

only if the bottleneck isn't elsewhere, which for non-lab recursive
testing, it always is.

> 	One big advantage that CNS brings to the table is that it 
> sanitizes DNS query responses, making sure that technically legal 
> responses that might cause problems for other nameservers get 
> "cleaned" before being passed on.  This is the only nameserver on the 
> market I know of that includes this query sanitization routine.

i should know this stuff.  i was a founder at nominum and i'm still an
advisor there.  but i don't, so i'll ask.  isn't this the same as what
late-model bind9 does by regenerating every response through the cache?
(bind4 and bind8 would forward raw results back to the stub resolver,
and early bind9 did that, but as far as i know, we stopped a while ago.)

More information about the bind-workers mailing list