TLS and local unbound-control
marcnarc at xiplink.com
Fri May 4 21:01:36 UTC 2018
On 2018-05-04 04:12 PM, Marc Branchaud via Unbound-users wrote:
> Hi all,
> (Please bear with me in the following; some of this might be mere
> correlation and not causation.)
> I've recently switched from OpenSSL 0.9.8 to 1.0.1. I've noticed that
> my unbound-control commands now take significantly longer to complete.
> The "stats" command in particular takes ~3 seconds on my (mediocre)
Sorry, that should be ~0.7 seconds! My brain's already on the weekend...
> Looking at unbound-control.c, it seem like it's always using TLS to
> communicate with the unbound process, even though I use local sockets i.e.
> control-interface: /var/unbound/control-0
> Am I reading the code correctly here?
> If so, it seems silly to use TLS on such a connection. Is there a
> config setting that would avoid using TLS?
> (I haven't done a rigorous A/B test to see if the different OpenSSL
> version is really causing the slowdown. Maybe the older version was
> just using lighter crypto. But I might be barking up the completely
> wrong tree.)
> On a related note, I am contemplating using stats_shm instead anyway,
> though I'm a little concerned about its connection to
> statistics-interval and logging. That is, statistics-interval also sets
> the frequency at which the stats are logged. If I want a small
> shm-update interval, I'm a tiny bit concerned about the extra packets
> being thrown at syslogd (even if they're ignored). Especially if I'm
> running dozens of unbounds on some beefy-but-busy hardware.
> So I'd like to request that: (a) unbound-control avoids using TLS when
> communicating over a local socket; and (b) there be a config setting to
> control only the shm stats update frequency, without the extra cruft of
> Does that sound reasonable?
More information about the Unbound-users