increasing memory usage (using rpz zones)

Hanspeter Kunz hkunz at ifi.uzh.ch
Thu Oct 22 07:08:45 UTC 2020 

Hi Fredrik,

On Wed, 2020-10-21 at 22:35 +0200, Fredrik Pettai wrote:
> Hi Hanspeter,
> 
> > On 20 Oct 2020, at 15:40, Hanspeter Kunz via Unbound-users <
> > unbound-users at lists.nlnetlabs.nl> wrote:
> > 
> > On Fri, 2020-10-16 at 15:56 +0200, Ralph Dolmans via Unbound-users
> > wrote:
> > > Hi Hanspeter,
> > > 
> > > On 14-10-2020 23:29, Hanspeter Kunz via Unbound-users wrote:
> > > > Hi all,
> > > > 
> > > > [replying to my own post]
> > > > 
> > > > Apparently it is normal that unbound uses *a lot of RAM* after
> > > > the
> > > > initial load of the rpz zones (point 1 below).
> > > 
> > > Does your RPZ zone contain a lot of records with the local data
> > > RPZ
> > > action? Due to the way the memory allocation is done here this
> > > can
> > > result in a very memory hungry Unbound instance. We are working
> > > on a
> > > fix
> > > for this.
> > 
> > I am not entirely sure what "local data RPZ action" means. almost
> > all
> > our records in the rpz zones are CNAMES.
> 
> (All RPZ actions use CNAME <data>)
> 
> "Local data” action means that the RPZ zone you’re supplying has an
> “alternative” answer that’s presented to querying client, redirecting
> the client to another host. (This explains why I don’t see your
> unbound's memory-hogging behaviour on SUNET unbound instances.)
> We rewrite it to answer NXDOMAIN (CNAME .)

ah, I understand, thanks for clarifying.

> You could try this config example to see if it solves your issue:
> 
> rpz:
> 	name: “aaaaa.bbbbb.switch.ch."
> 	zonefile: “/var/lib/unbound/aaaaa.bbbbb.switch.ch.zone"
> 	master: 130.242.XXX.YYY at ZZZZ
> 	allow-notify: 130.242.XXX.YYY
> 	rpz-action-override: nxdomain    <<—— this is the
> differentiator
> 	rpz-log: yes
> 	rpz-log-name: aaaaa.bbbbb
> 	tags: “malware”

I tried overriding the action to nxdomain, as suggested. I didn't
change anything, unfortunately. still getting the memory leak.

Best,
Hp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5395 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20201022/66ad46dc/attachment.bin>

More information about the Unbound-users mailing list