TLS and local unbound-control
Marc Branchaud
marcnarc at xiplink.com
Fri May 4 20:12:57 UTC 2018
Hi all,
(Please bear with me in the following; some of this might be mere
correlation and not causation.)
I've recently switched from OpenSSL 0.9.8 to 1.0.1. I've noticed that
my unbound-control commands now take significantly longer to complete.
The "stats" command in particular takes ~3 seconds on my (mediocre)
hardware.
Looking at unbound-control.c, it seem like it's always using TLS to
communicate with the unbound process, even though I use local sockets i.e.
control-interface: /var/unbound/control-0
Am I reading the code correctly here?
If so, it seems silly to use TLS on such a connection. Is there a
config setting that would avoid using TLS?
(I haven't done a rigorous A/B test to see if the different OpenSSL
version is really causing the slowdown. Maybe the older version was
just using lighter crypto. But I might be barking up the completely
wrong tree.)
On a related note, I am contemplating using stats_shm instead anyway,
though I'm a little concerned about its connection to
statistics-interval and logging. That is, statistics-interval also sets
the frequency at which the stats are logged. If I want a small
shm-update interval, I'm a tiny bit concerned about the extra packets
being thrown at syslogd (even if they're ignored). Especially if I'm
running dozens of unbounds on some beefy-but-busy hardware.
So I'd like to request that: (a) unbound-control avoids using TLS when
communicating over a local socket; and (b) there be a config setting to
control only the shm stats update frequency, without the extra cruft of
statistics-interval.
Does that sound reasonable?
Thanks,
M.
More information about the Unbound-users
mailing list