DNS performance.

Gary Lockyer gary at catalyst.net.nz
Fri Jul 26 00:26:32 UTC 2019

One of the performance bottlenecks that we're seeing on the AD is DNS
performance in both the internal and BIND9 serverts.  I've taken a quick
look at enabling pre-fork on the internal DNS server this mostly works.

Queries work, but updates don't

The updates use DNS TSIG to do the authentication, which requires
holding authentication state between requests.

I did look at using shared memory to hold this state but could not work
out how to copy the auth_session_info and gensec_security strucures into
the shared memory.

A possible approach would be to:
  * Launch a crypto worker process that handles the tsig processing and
    maintains the associated state.
  * The DNS worker processes forward the TSIG packets to the crypto
    worker via messaging, and wait for the response.
  * None TSIG queries are handled directly by the DNS worker process.

One possible issue is that we would be limited to a single crypto
worker. However the assumption is that query loads are much greater than
the update loads. And given that we currently only store 128 sessions
this seems to be likely.

This should all work, the only bit I'm unsure about would be waiting for
a response over messaging, but believe that this should be doable.

Ngā mihi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190726/ba94d972/signature.sig>

More information about the samba-technical mailing list