[bind10-dev] recursor cache requirements - input required
Jerry Scharf
scharf at isc.org
Thu Dec 9 05:22:01 UTC 2010
[...]
> On 8 Dec 2010, at 19:31, Jerry Scharf wrote:
>> I like Shane's idea of one class per cache. Since the cache in not a once per server entity (each view requires its own cache), if someone wants hesiod queries (the only other class I know of) build a separate cache for that. It will decrease the size and increase the speed of each class in this case.
> The actual IANA DNS Class registry is:
>
> Registry:
> Decimal Hexadecimal Name Reference
> ----------- ----------- ------------------------------ ---------
> 0 0x0000 Reserved [RFC5395]
> 1 0x0001 Internet (IN) [RFC1035]
> 2 0x0002 Unassigned
> 3 0x0003 Chaos (CH) [Moon1981]
> 4 0x0004 Hesiod (HS) [Dyer1987]
> 5-253 0x0005-0x00FD Unassigned
> 254 0x00FD QCLASS NONE [RFC2136]
> 255 0x00FF QCLASS * (ANY) [RFC1035]
> 256-65279 0x0100-0xFEFF Unassigned
> 65280-65534 0xFF00-0xFFFE Reserved for Private Use [RFC5395]
> 65535 0xFFFF Reserved [RFC5395]
>
> Unless we filter the class request, we have to cope with the possibility creating up to 65,536 caches - hence my comment above.
>
All these classes except for hesiod are defunct AFAIK. Hesoid is used at
MIT but I don't think that hesiod was carried over to MS active
directory. As such, I would set up the default to allow IN and HS and
not allow the rest. None and any are not cached. Chaos net is long dead.
The bigger problem with cache instancing is when people have multiple
views. One person in the user survey reported having 100 views on one
machine. Not surprisingly , he complained about memory footprint.
(Patient: "doctor, it hurts when I do this." Doctor: "stop doing it.")
>> I do not think you should keep any message in the cache. I have been involved in more than one recursive server and have never seen the response message from the upstream cache fill or the answer created for the client kept. You always have to regenerate the answer from the validated data in the cache to prevent cache poisoning attacks, so keeping the upstream message is a bad idea. You also have situations where the answer from before is no longer correct. (a classic example of this is that the first answer used the glue NS rrset for the authority data and that rrset was later replaced by the authoritative zone NS rrset or a new query within the zone included a new NS rrset in its authority section.) You need to build everything you need from the current cache information.
> I appreciate that, yet I would think that in some situations - queries for www.google.com for example - a pre-formatted reply that can be sent immediately could be a big performance improvement.
>
> Stephen
>
I haven't done this for a few years, When I last looked at recursive
server traffic, things like www.google.com are queried less than you
think. Most endpoint resolver keep a cache so you don't look up
www.google.com every time you get a new page. The ones that hurt are
ones like facebook and yahoo that use short (<=120 s) ttls. Since the
data invalidates on the server the same time it invalidates on the
client, there is no win in keeping the message around for these.
Since you are saying it needs to be its own resource with its own LRU,
you always need to have the ability to build the message from the cache.
Leave a couple hooks in place and get the server working first. There
are all sorts of corner cases to be found and addressed. Paul and Vern,
with me kibitzing, spent 4+ months finding all sorts of corner cases out
in the wild and fixing the server to handle them correctly. Pretty much,
if it resolved in the prior version of BIND, you are not allowed to
break it. I wonder if merit.edu's delegation is as FU as it was 4 years
ago. It's an ugly namespace out there and a recursive server gets to see
it all.
jerry
More information about the bind10-dev
mailing list