Adding root servers as local secondary zone to local caching server

Chriztoffer Hansen ch at ntrv.dk
Thu Sep 2 08:31:15 UTC 2021


On Thu, 2 Sept 2021 at 04:54, John Levine via Unbound-users
<unbound-users at lists.nlnetlabs.nl> wrote:
>
> It appears that Charles Sharp via Unbound-users <charles at cocosolutions.com> said:
> >
> >Thanks Chriztoffer!
> >
> >Sorry, got busy and just now coming back to this...
> >
> >So, one thing you didn't answer was - is this even a good idea?
> >
> >It sounds great in theory, but sometimes reality works out very differently.
> >
> >I'm specifically wondering about performance and resource usage.
> >
> >E.g., would Unbound need the entire zone to be fully loaded into RAM? If
> >so, how much RAM would be needed?
>
> It works great. The root zone is not very big. It's under 22,000
> records including all of the DNSSEC signatures, master file is about 2
> meg. Also, all modern computers have virtual memory so "fully loaded
> into RAM" doesn't mean anything.
>
> On my not very busy FreeBSD server with the root, arpa, in-addr.arpa,
> and ip6.arpa zones all loaded into unbound, the virtual size is 43MB,
> resident size 20MB. On computers with gigabytes of RAM, those numbers
> are insignificant.

Zones fetched using AXFR is cached locally on disk by your resolver daemon.

Your local resolver daemon will regularly check in with the upstream
server to monitor if the serial number has changed. If the upstream
number is higher than the locally cached one. Request a new copy of
the upstream zone file.

Unless you are fetching VERY large zone files over the internet (e.g.
multiple hundreds of megabytes and above). Performance concerns are
generally not something you will ever need to worry about.

If you want to run your local resolver without relying on upstream
forwarders doing the lookups for you (think e.g. 1.1.1.1 (CloudFlare),
8.8.8.8 (Google), 9.9.9.9 (Quad9)) configuring your local resolver to
use a cached root.hints file fetched using HTTP/HTTPS/AXFR is almost
your only option.
Caching the root.hints file locally *saves* your local resolver from
needing to first contact a root server for a lookup of which NS is
responsible e.g. the .NL-zone.
Without a cached root.hints file, your local resolver *needs* to
contact a root server for info of which NS's are responsible for e.g.
the .NL-zone.

Best, Chriztoffer



More information about the Unbound-users mailing list