From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:38:19 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 818271065679 for ; Mon, 4 Aug 2008 16:38:19 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (tyknet.dk [80.160.141.33]) by mx1.freebsd.org (Postfix) with ESMTP id 3861C8FC16 for ; Mon, 4 Aug 2008 16:38:19 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.gibfest.dk (localhost [127.0.0.1]) by mail.gibfest.dk (Postfix) with ESMTP id A91ABB92D for ; Mon, 4 Aug 2008 18:20:31 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 Received: from [10.10.1.111] (tykling.tyknet.cn.dom [10.10.1.111]) by mail.gibfest.dk (Postfix) with ESMTP id 92E62B8A2 for ; Mon, 4 Aug 2008 18:20:31 +0200 (CEST) Message-ID: <48972C4E.6010706@gibfest.dk> Date: Mon, 04 Aug 2008 18:20:30 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4895E91B.3000002@FreeBSD.org> <200808031923.31775.matt@chronos.org.uk> <4896970E.1080205@FreeBSD.org> In-Reply-To: <4896970E.1080205@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: BIND -P2 update plans (Was: Re: The BIND scandal) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 16:38:19 -0000 > Thank you for the kind words. :) > > Since this update is performance related rather than directly security > related I plan to give people a chance to update from ports and > provide feedback before I update the base in HEAD and [67]-stable. So > if you run a busy resolving name server, especially if you were having > problems with -P1, then please let me know how -P2 works for you. > > > Doug > Hello, I'd also like to thank you for updating the port so fast, I was hoping for sometime during the weekend, and was pleasantly surprised to see it available so fast. I've posted to the bind-users list to say this, but to confirm here: On 7-STABLE from a few weeks ago on a couple of busy recursive servers, this patch made an extreme positive difference. I was having problems with constant timeouts, very slow recursive lookups when they did work, and frequent errors about too many open files or somesuch in messages (regardless of kern.maxfiles and FD_SETSIZE settings), all of this disappeared when I applied P2. Number of successful queries almost doubled the minute I restarted with the -P2 patch applied, no more slowness or timeouts. This is the bind9.4 port by the way, 9.5 had even more weird errors and behaviour. I've since seen various sources claiming that 9.5 isn't ready for primetime on busy resolvers, so I'll wait for a while before moving on to 9.5. For the record, I have compiled dns/bind94 with make CFLAGS="-DFD_SETSIZE=65000" install clean to avoid "too many open file descriptors" errors, but with this setting (and increasing kern.maxfiles with sysctl) everything seems to be running nicely. -P2 might have removed the need for increasing FD_SETSIZE but this works, and for now I'll leave it at that. These servers have peak loads at around 1000 queries per second. They are both quad core 2-3ghz boxes with a couple of gigs of ram, and the cpu is around 50% utilized when the servers are busy. If you need more information please let me know. Best regards and thank you for all your work. Thomas Rasmussen