[nsd-users] Slow AXFR propagation to nsd server

Zdeněk Nový zdenek.novy at active24.cz
Wed Aug 17 15:27:38 UTC 2022 

Hello,
I have a nsd version 4.3.9 (from official Ubuntu Jammy repository) 
configured as a slave server with about 400k zones.

I have an issue with a delay of AXFR/IXFR requests, which sometimes 
takes more than 10 seconds. Example of receiving XFR:

2022-08-16_14:29:01 xxxxxxxx nsd[1270460]: info:  notify for somedomain. 
from 192.168.205.10 serial 1658932140
2022-08-16_14:29:07 xxxxxxxx nsd[2867429]: info:  xfrd: zone somedomain 
committed "received update to serial 1658932140 at 2022-08-16T14:29:07 
from 192.168.205.10 TSIG verified with key xxxxxxxxx"
2022-08-16_14:29:18 dfo5pub1 nsd[2867432]: info:  zone somedomain. 
received update to serial 1658932140 at 2022-07-27T14:29:07 from 
192.168.205.10 TSIG verified with key xxxxxxxxx of 3045 bytes in 4.1e-05 
seconds
2022-08-16_14:29:28 dfo5pub1 nsd[2867429]: info:  zone somedomain serial 
1658825141 is updated to 1658932140

You can see, in this example, there is 10s delay between received update 
and zone is updated actions.

Nsd configuration, server section (We use bare metal server with 48 
threads (24 cores + hyperthreading)):

server:
   server-count: 40
   # Anycast addresses on loopback interface
   ip-transparent: yes
   ip-address:   enp65s0f0
   ip-address:   lo
   verbosity: 9
   database: "/var/lib/nsd/nsd.db"
   reuseport: yes
   zonesdir: "/var/lib/nsd"
   hide-version: yes
   version: "NSD"
   identity: "unidentified server"
   refuse-any: yes
   # Response Rate Limiting
   rrl-size: 50000000
   rrl-ratelimit: 300
   rrl-slip: 10
   # TCP capacity 
(https://nsd.docs.nlnetlabs.nl/en/latest/running/tuning.html?highlight=performance)
   tcp-count: 1400
   tcp-timeout: 6
   tcp-reject-overflow: yes

I tried to remove the database with database: "", but there were no 
significant change. I tried to setup the cpu affinity as well, but 
without success, but I'd like to avoid of this complexity.

Do we have something wrong in our setup or does we reach the limitation 
of the daemon. The server cpu graph shows us about 10% system time, 
which seems weird to me as well and about 1% of user time., the 
bandwidth is less than 5Mbps.

Can you give me some advice how to speed the process up?

Thank you in advance.

Zdenek Novy
Active24
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220817/c028e874/attachment.htm>

More information about the nsd-users mailing list