TLS and local unbound-control

Marc Branchaud marcnarc at
Fri May 4 21:01:36 UTC 2018

On 2018-05-04 04:12 PM, Marc Branchaud via Unbound-users wrote:
> Hi all,
> (Please bear with me in the following; some of this might be mere 
> correlation and not causation.)
> I've recently switched from OpenSSL 0.9.8 to 1.0.1.  I've noticed that 
> my unbound-control commands now take significantly longer to complete. 
> The "stats" command in particular takes ~3 seconds on my (mediocre) 
> hardware.

Sorry, that should be ~0.7 seconds!  My brain's already on the weekend...


> Looking at unbound-control.c, it seem like it's always using TLS to 
> communicate with the unbound process, even though I use local sockets i.e.
>      control-interface: /var/unbound/control-0
> Am I reading the code correctly here?
> If so, it seems silly to use TLS on such a connection.  Is there a 
> config setting that would avoid using TLS?
> (I haven't done a rigorous A/B test to see if the different OpenSSL 
> version is really causing the slowdown.  Maybe the older version was 
> just using lighter crypto.  But I might be barking up the completely 
> wrong tree.)
> On a related note, I am contemplating using stats_shm instead anyway, 
> though I'm a little concerned about its connection to 
> statistics-interval and logging.  That is, statistics-interval also sets 
> the frequency at which the stats are logged.  If I want a small 
> shm-update interval, I'm a tiny bit concerned about the extra packets 
> being thrown at syslogd (even if they're ignored).  Especially if I'm 
> running dozens of unbounds on some beefy-but-busy hardware.
> So I'd like to request that: (a) unbound-control avoids using TLS when 
> communicating over a local socket; and (b) there be a config setting to 
> control only the shm stats update frequency, without the extra cruft of 
> statistics-interval.
> Does that sound reasonable?
> Thanks,
>          M.

More information about the Unbound-users mailing list