metze at samba.org
Fri Jul 26 19:39:25 UTC 2019
> One of the performance bottlenecks that we're seeing on the AD is DNS
> performance in both the internal and BIND9 serverts. I've taken a quick
> look at enabling pre-fork on the internal DNS server this mostly works.
> Queries work, but updates don't
> The updates use DNS TSIG to do the authentication, which requires
> holding authentication state between requests.
> I did look at using shared memory to hold this state but could not work
> out how to copy the auth_session_info and gensec_security strucures into
> the shared memory.
We could use a tdb similar to the netlogon challenges,
There are gss_export_sec_context/gss_import_sec_context
and we may have gensec hooks for it, which would be also useful
in other cases.
> A possible approach would be to:
> * Launch a crypto worker process that handles the tsig processing and
> maintains the associated state.
> * The DNS worker processes forward the TSIG packets to the crypto
> worker via messaging, and wait for the response.
> * None TSIG queries are handled directly by the DNS worker process.
> One possible issue is that we would be limited to a single crypto
> worker. However the assumption is that query loads are much greater than
> the update loads. And given that we currently only store 128 sessions
> this seems to be likely.
> This should all work, the only bit I'm unsure about would be waiting for
> a response over messaging, but believe that this should be doable.
That would also work, but I think I'd prefer a tdb.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical