gary at catalyst.net.nz
Fri Jul 26 00:26:32 UTC 2019
One of the performance bottlenecks that we're seeing on the AD is DNS
performance in both the internal and BIND9 serverts. I've taken a quick
look at enabling pre-fork on the internal DNS server this mostly works.
Queries work, but updates don't
The updates use DNS TSIG to do the authentication, which requires
holding authentication state between requests.
I did look at using shared memory to hold this state but could not work
out how to copy the auth_session_info and gensec_security strucures into
the shared memory.
A possible approach would be to:
* Launch a crypto worker process that handles the tsig processing and
maintains the associated state.
* The DNS worker processes forward the TSIG packets to the crypto
worker via messaging, and wait for the response.
* None TSIG queries are handled directly by the DNS worker process.
One possible issue is that we would be limited to a single crypto
worker. However the assumption is that query loads are much greater than
the update loads. And given that we currently only store 128 sessions
this seems to be likely.
This should all work, the only bit I'm unsure about would be waiting for
a response over messaging, but believe that this should be doable.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the samba-technical