AW: AW: Unbound - Shared Cache

George Thessalonikefs george at nlnetlabs.nl
Wed Feb 12 17:11:20 UTC 2020


Hi Peter,

On 12/02/2020 12:59, Talkabout wrote:
> Hi George,
> 
>  
> 
> Maybe it’s stupid but it still not completely clear for me. As Unbound
> knows when a particular entry Needs to be invalidated (based on the
> configuration it received upon load) Setting the TTL via EXPIRE would
> also work for the case you mentioned (serving outdated entries based on
> Unbound configuration). Maybe I am missing something?
You are right that this could work but it may also be the case that you
want to turn on (or reconfigure) serve-expired on the fly through
unbound-control.
In that case you would like to have the expired records still lying around.

Best regards,
-- George

> 
>  
> 
> I have now created the following Setup:
> 
>  
> 
> Server 1:
> 
>                 Unbound (connected to KeyDB as backend)
> 
>                 KeyDB (Redis drop-in replacement with active
> replication, Bound to Server 2)
> 
>  
> 
> Server 2:
> 
>                 Unbound (connected to KeyDB as backend)
> 
>                 KeyDB (Redis drop-in replacement with active
> replication, Bound to Server 1)
> 
>  
> 
> That way every entry added by one of the Servers is automatically
> available also for the other one (active replication of KeyDB) => shared
> Cache 😊 Entries are evicted after 4 hours of idle time. Will Keep it
> that way for now and if it works well the next days this will become my
> productive setup.
> 
>  
> 
> Thanks all for your help!
> 
>  
> 
> Bye
> 
>  
> 
> Gesendet von Mail <https://go.microsoft.com/fwlink/?LinkId=550986> für
> Windows 10
> 
>  
> 
> *Von: *George Thessalonikefs via Unbound-users
> <mailto:unbound-users at lists.nlnetlabs.nl>
> *Gesendet: *Mittwoch, 12. Februar 2020 11:23
> *An: *unbound-users at lists.nlnetlabs.nl
> <mailto:unbound-users at lists.nlnetlabs.nl>
> *Betreff: *Re: AW: Unbound - Shared Cache
> 
>  
> 
> Hi Peter,
> 
>  
> 
> The reason is that you could serve expired records from that cache (if
> 
> you configure unbound to do so) so they shouldn't expire after the TTL.
> 
>  
> 
> As for the recommended way to cleanup redis (from the man page):
> 
> "
> 
> It should be noted that Unbound never removes data stored in the Redis
> 
> server, even if some data have expired in terms of DNS TTL or the Redis
> 
> server has cached too much data; if necessary the Redis server must be
> 
> configured to limit the cache size, preferably with some kind of
> 
> least-recently-used eviction policy.
> 
> "
> 
>  
> 
> I would recommend going through the cachedb section in the unbound.conf
> 
> man page as it also documents the behavior and some caveats such as the
> 
> "synchronous communication" between unbound and redis.
> 
>  
> 
> As for the recommended way to cleanup redis I would look here:
> 
> https://redis.io/topics/lru-cache
> 
>  
> 
> and probably use the 'allkeys-lru' policy.
> 
>  
> 
> Best regards,
> 
> -- George
> 
>  
> 
> On 11/02/2020 19:53, Talkabout via Unbound-users wrote:
> 
>> Hi Benno,
> 
>>
> 
>>  
> 
>>
> 
>> I have set up Unbound with redis Cache now and will check how well this
> 
>> works. I have one Question left: documentation states that unbound does
> 
>> NOT invalidate keys in the redis Cache even if they expire. Question
> 
>> from my side is why is unbound not simply using the „EXPIRE“ function of
> 
>> redis to set the TTL to the same time that unbound receives from an
> 
>> authority dns Server? That way no other maintenance Needs to be done. If
> 
>> there still is a valid reason (which I am sure there is 😊), what is the
> 
>> recommended way to cleanup redis?
> 
>>
> 
>>  
> 
>>
> 
>> Thanks!
> 
>>
> 
>>  
> 
>>
> 
>> Bye
> 
>>
> 
>>  
> 
>>
> 
>> Gesendet von Mail <https://go.microsoft.com/fwlink/?LinkId=550986> für
> 
>> Windows 10
> 
>>
> 
>>  
> 
>>
> 
>> *Von: *Talkabout via Unbound-users
> <mailto:unbound-users at lists.nlnetlabs.nl>
> 
>> *Gesendet: *Montag, 10. Februar 2020 14:15
> 
>> *An: *Benno Overeinder <mailto:benno at NLnetLabs.nl>;
> 
>> unbound-users at lists.nlnetlabs.nl <mailto:unbound-users at lists.nlnetlabs.nl>
> 
>> *Betreff: *AW: Unbound - Shared Cache
> 
>>
> 
>>  
> 
>>
> 
>> Hi Benno,
> 
>>
> 
>>  
> 
>>
> 
>> my real Name is Peter 😊
> 
>>
> 
>>  
> 
>>
> 
>> Thank you very much for this hint, I will try to set up a redis Cache
> 
>> that distributes the entries among my servers.
> 
>>
> 
>>  
> 
>>
> 
>> Bye
> 
>>
> 
>>  
> 
>>
> 
>> Gesendet von Mail <https://go.microsoft.com/fwlink/?LinkId=550986> für
> 
>> Windows 10
> 
>>
> 
>>  
> 
>>
> 
>> *Von: *Benno Overeinder <mailto:benno at NLnetLabs.nl>
> 
>> *Gesendet: *Montag, 10. Februar 2020 13:50
> 
>> *An: *Talkabout <mailto:talk.about at gmx.de>;
> 
>> unbound-users at lists.nlnetlabs.nl <mailto:unbound-users at lists.nlnetlabs.nl>
> 
>> *Cc: *Paul Vixie <mailto:paul at redbarn.org>
> 
>> *Betreff: *Re: Unbound - Shared Cache
> 
>>
> 
>>  
> 
>>
> 
>> Hi Talkabout (is this your real name?),
> 
>>
> 
>>  
> 
>>
> 
>> Thank you Paul for your answer.  Paul is correct that it is very
> 
>> dependent on your cache replacement algorithm and how to inform other
> 
>> resolvers that answers are already in cache.
> 
>>
> 
>>  
> 
>>
> 
>> To answer your question, Talkabout, Unbound has a module for a shared
> 
>> cache with a Redis backend.  It works as a secondary cache, 1) first
> 
>> local cache lookup, 2) shared cache lookup, 3) resolve/iterate.  For
> 
>> configuration and use, see the unbound.conf(5) manpages, section "Cache
> 
>> DB Module Options".  (You may have to compile Unbound yourself with the
> 
>> --with-libhiredis option.)
> 
>>
> 
>>  
> 
>>
> 
>> Your suggestion to export/import the cache with unbound-control can be
> 
>> used for running Unbound clusters and you want to start a new Unbound
> 
>> instance with a hot cache.
> 
>>
> 
>>  
> 
>>
> 
>> Best regards,
> 
>>
> 
>>  
> 
>>
> 
>> — Benno
> 
>>
> 
>>  
> 
>>
> 
>>  
> 
>>
> 
>>> On 10 Feb 2020, at 12:21, Talkabout via Unbound-users
> 
>> <unbound-users at lists.nlnetlabs.nl> wrote:
> 
>>
> 
>>> 
> 
>>
> 
>>> Hi Paul,
> 
>>
> 
>>> 
> 
>>
> 
>>> thank you very much for your Statement!
> 
>>
> 
>>> 
> 
>>
> 
>>> I am not that Deep into DNS logics so most likely not a very good
> 
>> communication Partner when the Topic becomes that complex 😊 I am using
> 
>> Unbound for my home Network only, there I think theoretical numbers like
> 
>> „hundreds cache misses per second“ are not that realistic. But I totally
> 
>> agree that making such a feature generic, this is something that Needs
> 
>> to be taken care of.
> 
>>
> 
>>> 
> 
>>
> 
>>> Maybe a solution can be to integrate a Sub layer inbetween the local
> 
>> Cache and external resolvers, a shared Cache. This shared Cache is
> 
>> updated by all Peers when a query gets resolved and every peer can ask
> 
>> the shared Cache for entries when local Cache does not deliver any
> 
>> results. Shared Cache instances are then automatically synchronized.
> 
>>
> 
>>> 
> 
>>
> 
>>> Obviously this Topic is not an easy one and it seems that there is
> 
>> Nothing in place I can reuse.
> 
>>
> 
>>> 
> 
>>
> 
>>> Thanks again!
> 
>>
> 
>>> 
> 
>>
> 
>>> Bye
> 
>>
> 
>>> 
> 
>>
> 
>>> Gesendet von Mail für Windows 10
> 
>>
> 
>>> 
> 
>>
> 
>>> Von: Paul Vixie
> 
>>
> 
>>> Gesendet: Montag, 10. Februar 2020 12:11
> 
>>
> 
>>> An: unbound-users at lists.nlnetlabs.nl
> 
>>
> 
>>> Cc: Talkabout
> 
>>
> 
>>> Betreff: Re: Unbound - Shared Cache
> 
>>
> 
>>> 
> 
>>
> 
>>> On Monday, 10 February 2020 09:54:44 UTC Talkabout via Unbound-users
> 
>> wrote:
> 
>>
> 
>>> > I am using unbound on 2 different Servers (also populated bia DHCP as 2
> 
>>
> 
>>> > different Name Servers) and would like to make sure that if one Server
> 
>>
> 
>>> > already answered a query and cached it, the other does not Need to
> 
>> do the
> 
>>
> 
>>> > same query to the Internet again. ...
> 
>>
> 
>>> > Question is, if there is a standard way of doing this or any
> suggestions
> 
>>
> 
>>> > About the „best“ solution. Maybe somebody already has something like
> 
>> this
> 
>>
> 
>>> > working?
> 
>>
> 
>>> 
> 
>>
> 
>>> this question has come up every year or so. one thing to know is that
> 
>> if this
> 
>>
> 
>>> is a good idea, then it would be a good multi-vendor idea, not just for
> 
>>
> 
>>> unbound, though unbound has a track record of doing things first that
> 
>> turn out
> 
>>
> 
>>> to be good ideas and end up standardized in DNS itself in some form.
> 
>>
> 
>>> 
> 
>>
> 
>>> some open questions that relate to discard policy:
> 
>>
> 
>>> 
> 
>>
> 
>>> if you had hundreds of cache misses per second which ones would you
> 
>> share with
> 
>>
> 
>>> your peer recursive nameservers? (maybe only share it after its first
> 
>> reuse? i
> 
>>
> 
>>> think the opendns anycast network uses a DHT for this, to inform peers of
> 
>>
> 
>>> availability of data, so it can be fetched from a peer if it's needed.)
> 
>>
> 
>>> 
> 
>>
> 
>>> if your peer is sharing hundreds of cache misses per second with you,
> 
>> would
> 
>>
> 
>>> you ever discard something from your own cache to make room for
> 
>> something from
> 
>>
> 
>>> theirs? (generally this isn't the right thing, so you'd give your
> 
>> cache two
> 
>>
> 
>>> LRU quotas, one for your own cache misses, one for those shared to you.)
> 
>>
> 
>>> 
> 
>>
> 
>>> when running at quota, and needing to discard something because a peer
> 
>> just
> 
>>
> 
>>> told you some new thing and you don't have room for N+1, would you choose
> 
>>
> 
>>> least recently learned (LRL) rather than least recently used (LRU)
> because
> 
>>
> 
>>> when things are used they've move from your peer-cache to your own-cache?
> 
>>
> 
>>> 
> 
>>
> 
>>> other open questions:
> 
>>
> 
>>> 
> 
>>
> 
>>> when using ECS, how do you know which cache additions to share, if
> 
>> your peer
> 
>>
> 
>>> or your peer's stubs don't have the same topology as you/yours do?
> 
>>
> 
>>> 
> 
>>
> 
>>> would you rate limit the feed to a peer so as not to flood their
> capacity?
> 
>>
> 
>>> 
> 
>>
> 
>>> this is a fascinating topic, as i hope you'll agree.
> 
>>
> 
>>> 
> 
>>
> 
>>> --
> 
>>
> 
>>> Paul
> 
>>
> 
>>  
> 
>>
> 
>> --
> 
>>
> 
>> Benno J. Overeinder
> 
>>
> 
>> NLnet Labs
> 
>>
> 
>> https://www.nlnetlabs.nl/
> 
>>
> 
>>  
> 
>>
> 
>>  
> 
>>
> 
>>  
> 
>>
> 
>  
> 


More information about the Unbound-users mailing list