DNS performance.

Stefan Metzmacher metze at samba.org
Fri Jul 26 19:39:25 UTC 2019

Hi Gary,

> One of the performance bottlenecks that we're seeing on the AD is DNS
> performance in both the internal and BIND9 serverts.  I've taken a quick
> look at enabling pre-fork on the internal DNS server this mostly works.
> Queries work, but updates don't
> The updates use DNS TSIG to do the authentication, which requires
> holding authentication state between requests.
> I did look at using shared memory to hold this state but could not work
> out how to copy the auth_session_info and gensec_security strucures into
> the shared memory.

We could use a tdb similar to the netlogon challenges,
see schannel_save_challenge().
There are gss_export_sec_context/gss_import_sec_context
and we may have gensec hooks for it, which would be also useful
in other cases.

> A possible approach would be to:
>   * Launch a crypto worker process that handles the tsig processing and
>     maintains the associated state.
>   * The DNS worker processes forward the TSIG packets to the crypto
>     worker via messaging, and wait for the response.
>   * None TSIG queries are handled directly by the DNS worker process.
> One possible issue is that we would be limited to a single crypto
> worker. However the assumption is that query loads are much greater than
> the update loads. And given that we currently only store 128 sessions
> this seems to be likely.
> This should all work, the only bit I'm unsure about would be waiting for
> a response over messaging, but believe that this should be doable.

That would also work, but I think I'd prefer a tdb.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190726/510ba876/signature.sig>

More information about the samba-technical mailing list