[Dnssec-trigger] persistent cache needed?
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon Feb 2 08:27:18 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
On 01/02/15 19:46, Paul Wouters wrote:
> On Sat, 31 Jan 2015, Chuck Anderson wrote:
>
>> After booting up and re-opening Firefox, restoring 50-100 tabs
>> causes so much DNS traffic that unbound goes unresponsive, and
>> queries repeatedly timeout for many minutes until things finally
>> settle down.
>
> Why is that causing timeouts and failures on DNS for you?
If unbound was compiled with libevent, it should not have any issues
coping with the traffic. But I heard that 'nat boxes' have trouble
with many connections. So, I do not know how to fix this, the network
won't allow the amount of traffic you are trying to do ...
Best regards,
Wouter
> I do think unbound needs an option to tell it it is operating on an
> endnode and not a network wide cache, where it can be a little more
> aggressive on negative cache entries and retry more.
>
>> I think we need a persistent cache, saved across
>> restarts/reboots. What else can we do to solve this problem?
>
> I would like that. But it would require the cache to have some
> kind of timestamp associaed to it, so the loading unbound can
> calculate how much to lower the TTL's of the cached data. Otherwise
> you would end up with badly cached data that has in reality expired
> (and might have changed)
>
> Note this is the reverse of another problem people have, which is
> when switching network they want the cache to be wiped because some
> networks might have split-DNS entries that aren't valid elsewhere.
>
>> Or is the verbosity the cause of the problem:
>>
>> #journalctl -b -u unbound | wc -l 24581
>
> Verbosity causes a significant performance drop, so for your
> original problem it might be worth reducing it to 1 again and see
> if your problem disappears.
>
> Paul _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUzzTmAAoJEJ9vHC1+BF+N0FQP/i7juffUKyFfRfPM9g+AX/qP
gWXWdWy7E1bQeMxy7eniLk25zcAM1gD39d3GjJAgT9ujbU/8exJzEeDDLech/4z0
lzDup6QGJSUKH36A78G/cZXmWhfZSHFP5w0iZo3wrvvv6NnQ3UcyvdbTEsEo99U5
9gEcpQNeA2RbTTz6xgeyW/JoHcg9PJGaAbQ7e5xqzBtAZ6pLfthW+EWkIIXZJGRd
H+nGxL58d5lKGM+3lFzF4YmFiGd2VRreXqy4y+e20SdxvxenGZ8e1GBhC8LVvfP7
vlTzhjYdUiV9pKyACC/5jng8BrDqFuqNif+n8stI1Z1CuoAwSQbXf/kCSO9hnpPw
Jg/SiA/9tLX9Z4RFDG6SmXYsKQMfkVEzPhnNmUtg8s7i8N1+Kt2HTEgFtIi0cI3y
udQMW09VVckXJaLd6zj6t2BVYUZ/9RhxWJO4ieCuzfnuBnVNepj3T6+hgmjOEX0o
mHB5nkcEuDk23MqFV5Tj1ac80JuJrzuO2c4BOPcD0uw5jQWmSEwnImvlAd1q8ng6
tkzTptkLPoFaNo5xDkNhLPNOH0d3OdgXaurH4AbExb2pepQSkMyKA73kS+9K0QWH
4KgPlf7ew6HU4F63h+Xn19gLvNOrWfZJSab0CSW71kk6GjiHW+Z22h554jNbxJKF
kiRcK4BvjxPtYOIEtZLs
=t9kc
-----END PGP SIGNATURE-----
More information about the dnssec-trigger
mailing list