increasing memory usage (using rpz zones)

Fredrik Pettai pettai at sunet.se
Wed Oct 21 20:35:25 UTC 2020


Hi Hanspeter,

> On 20 Oct 2020, at 15:40, Hanspeter Kunz via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> On Fri, 2020-10-16 at 15:56 +0200, Ralph Dolmans via Unbound-users
> wrote:
>> Hi Hanspeter,
>> 
>> On 14-10-2020 23:29, Hanspeter Kunz via Unbound-users wrote:
>>> Hi all,
>>> 
>>> [replying to my own post]
>>> 
>>> Apparently it is normal that unbound uses *a lot of RAM* after the
>>> initial load of the rpz zones (point 1 below).
>> 
>> Does your RPZ zone contain a lot of records with the local data RPZ
>> action? Due to the way the memory allocation is done here this can
>> result in a very memory hungry Unbound instance. We are working on a
>> fix
>> for this.
> 
> I am not entirely sure what "local data RPZ action" means. almost all
> our records in the rpz zones are CNAMES.

(All RPZ actions use CNAME <data>)

"Local data” action means that the RPZ zone you’re supplying has an “alternative” answer that’s presented to querying client, redirecting the client to another host. (This explains why I don’t see your unbound's memory-hogging behaviour on SUNET unbound instances.)
We rewrite it to answer NXDOMAIN (CNAME .)

You could try this config example to see if it solves your issue:

rpz:
	name: “aaaaa.bbbbb.switch.ch."
	zonefile: “/var/lib/unbound/aaaaa.bbbbb.switch.ch.zone"
	master: 130.242.XXX.YYY at ZZZZ
	allow-notify: 130.242.XXX.YYY
	rpz-action-override: nxdomain    <<—— this is the differentiator
	rpz-log: yes
	rpz-log-name: aaaaa.bbbbb
	tags: “malware”



HTH,
/P



More information about the Unbound-users mailing list