From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 05:06:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E02401065694 for ; Tue, 5 Aug 2008 05:06:40 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 8656E8FC1A for ; Tue, 5 Aug 2008 05:06:40 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 28487 invoked by uid 399); 5 Aug 2008 05:06:39 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 5 Aug 2008 05:06:39 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4897DFDE.5030406@FreeBSD.org> Date: Mon, 04 Aug 2008 22:06:38 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.16 (X11/20080726) MIME-Version: 1.0 To: Thomas Rasmussen References: <4895E91B.3000002@FreeBSD.org> <200808031923.31775.matt@chronos.org.uk> <4896970E.1080205@FreeBSD.org> <48972C4E.6010706@gibfest.dk> In-Reply-To: <48972C4E.6010706@gibfest.dk> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: BIND -P2 update plans (Was: Re: The BIND scandal) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2008 05:06:41 -0000 Thomas Rasmussen wrote: > I've posted to the bind-users list to say this, but to confirm here: On > 7-STABLE from a few weeks ago on a couple of busy recursive servers, > this patch made an extreme positive difference. I was having problems > with constant timeouts, very slow recursive lookups when they did work, > and frequent errors about too many open files or somesuch in messages > (regardless of kern.maxfiles and FD_SETSIZE settings), all of this > disappeared when I applied P2. Number of successful queries almost > doubled the minute I restarted with the -P2 patch applied, no more > slowness or timeouts. That's good news even taking your change to fd_setsize into account. > This is the bind9.4 port by the way, 9.5 had even more weird errors and > behaviour. I've since seen various sources claiming that 9.5 isn't ready > for primetime on busy resolvers, so I'll wait for a while before moving > on to 9.5. Yeah, if you don't have time to help debug the problems then sticking with 9.4 is a good decision. OTOH they can use all the help they can get. :) > For the record, I have compiled dns/bind94 with > > make CFLAGS="-DFD_SETSIZE=65000" install clean > > to avoid "too many open file descriptors" errors, but with this setting > (and increasing kern.maxfiles with sysctl) everything seems to be > running nicely. -P2 might have removed the need for increasing > FD_SETSIZE but this works, and for now I'll leave it at that. I can certainly understand not wanting to change something that's working, but I would like to get at least a couple of users to confirm that -P2 works out of the box before I import them. I don't mind adding a "big fd_setsize" knob to the ports and the base, but I want to be sure it's needed first. Doug -- This .signature sanitized for your protection