[Unbound-users] Improve avg response times

2012-07-06 Thread vinay3 
I am using an amazon large EC2 instance (4ECUs, 2 cores) for my unbound
configured as below. I am seeing a 150ms+ average response time as reported
by namebench Alexa 2K result. In order to reduce my lookup times, I am
running an hourly scan of these 35K sites (from namebench dat files) in
order to give my clients a cached response whenever possible. On average, my
cachemiss rate is 6% as shown below. My cache-ttl-min is 1 hour so these
entries should be cached at all times. The cachemisses I am guessing are
from sites my pythonmod looks up and responds to in a special way:

 

6.5Mbytes of free RAM

 

total.num.cachehits=3185

total.num.cachemiss=188

mem.cache.rrset=8319405

mem.cache.message=8729827

 

(forked configuration)

server:

#disable chroot as it caused several issues with python's PYTHONHOME
vars

chroot: ""

verbosity: 0

# set to num of cores or cpus

num-threads: 2

##slabs 

rrset-cache-slabs: 1

infra-cache-slabs: 1

key-cache-slabs: 1

msg-cache-slabs: 1

##cache sizes

msg-cache-size: 250m

#2X msg-cache-size

rrset-cache-size: 500m

outgoing-range: 950

#2X outgoing range

num-queries-per-thread: 512

# sudo sysctl -w net.core.rmem_max=8388608

so-rcvbuf: 8m

interface: 0.0.0.0

interface: ::0

port: 53

access-control: 0.0.0.0/0 allow

module-config: "python iterator"

prefetch: yes

cache-min-ttl: 3600

 

python:

python-script: "XYZ"

 

remote-control:

control-enable: yes

 

forward-zone:

name: "."

forward-addr: XYZ

 

Question:

 

Even with this setup, I am seeing most of the domains return a TTL of 3600
at the start of a random namebench which means they were iterated/recursed
over instead of looked up from cache. This is causing a 150ms+ average
response times for these 35K sites. It's the exact same 35K sites being
scanned by namebench - why aren't these looked up from the cache instead of
being iterated over? Are these sites not cached for a full 3600 seconds? 

 

With prefetch, cache-min-ttl of 1hour, why isn't an hourly scan of these 35K
sites populating my cache and giving me a <50ms response time on average?

 

With the same setup, if I take 500 sites and run namebench back to back for
these fixed 500 sites, my average response time starts approaching 40-50ms
which is where I am trying to be with the 35K sites. 

 

Where am I going wrong and how can debug and fix this issue?

 

Vinay.

 

___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Re: [Unbound-users] Servers for local zones that are not signed

2012-07-06 Thread Eugene Crosser 
On 07/06/2012 04:45 PM, W.C.A. Wijngaards wrote:

 So unbound asks dnsmasq for the address of "myhost.lan" as it
 is instructed by forward-zone, gets correct result (!), but
 then marks it bogus because it cannot establish trust chain.
>>>
>>> You'll need
>>>
>>> private-domain: "lan." domain-insecure: "lan."
> 
>> Wow, that was fast! After also adding "do-not-query-localhost: no"
>> (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse
>> zone) it all worked!
> 
>> Thanks a lot!
> 
>> Any chance to make these sort of tricks more apparent in the
>> documentation?
> 
> Where in the documentation have you been looking, i.e. does it make
> sense to add some text to help out?

I was reading unbound.conf(5) because there is no relevant doc in the Guides
section. I'd say, a separate "HowTo Configure Forward For Local Zones" document
would be ideal for my particular case. Or, spray hints in the unbound.conf
manpage like so:

- In the description of "forward-zone" and "stub-zone" mention that:
 + if this is a local zone that does not have a DS in the parent zone, you must
list the name as "domain-insecure",
 + if it may contain private addresses, then also in "private-domain"
 + if it is a reverse zone for private address range, the zone needs to be
configured "local-zone:  nodefault"
- In the description of "forward-addr" note that if you specify loopback address
you should also add "do-not-query-localhost: no"

I think a separate HowTo might be better because this is a relatively common
setup, so many would benefit, and on the other hand the manpage is rather long
and dense already. I could knock up a short doc, shall I try?

Regards,

Eugene



signature.asc
Description: OpenPGP digital signature
___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Re: [Unbound-users] Servers for local zones that are not signed

2012-07-06 Thread W.C.A. Wijngaards 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Eugene,

On 07/06/2012 02:25 PM, Eugene Crosser wrote:
> On 07/06/2012 03:33 PM, Jan-Piet Mens wrote:
>>> So unbound asks dnsmasq for the address of "myhost.lan" as it
>>> is instructed by forward-zone, gets correct result (!), but
>>> then marks it bogus because it cannot establish trust chain.
>> 
>> You'll need
>> 
>> private-domain: "lan." domain-insecure: "lan."
> 
> Wow, that was fast! After also adding "do-not-query-localhost: no"
> (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse
> zone) it all worked!
> 
> Thanks a lot!
> 
> Any chance to make these sort of tricks more apparent in the
> documentation?

Where in the documentation have you been looking, i.e. does it make
sense to add some text to help out?

Best regards,
   Wouter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP9t3iAAoJEJ9vHC1+BF+N968P+wcvL6ItGXtzuu5LU9uzsII0
wIcFUcl36oQ4ktrQBma5eETYQq8shYbhkFXdtBStMxQ+E5zryNnYkTVj1/r6vxtw
3gaeGF8wmWjIRuQ8yG1oZHKzOogjxJxym8cr7vvRedCFjWY3AlTIgBO/7LKqWdKT
ADBAEahG4dHHmo48oDBNusyrCJLL2JGtQt/cP5lM76MevMZnzieCxJPelsrA0f8W
xCHxfdZ1pd4JUI7PrjEKyzkyo2ZUep0tbL7tEJ9yvrlhuqTwEruLgmVGSXh6v09H
NRddmAXuXEbvH8OvPF/hGANuZq8AbNaQ5S8N8xJHCbbzioEaz0HpYJODObI0Mcci
26KX/Xrz8O0MvytYsM8aizJEZhTktKh71DSvDRPow5rptBnacVTNXlhlmp4yolTj
4Zmpk7b6qVu9bA8bc5Vde78kI+Gh/3SSWUm2pUVE0vsRJ+7U2XiCZmpVHAfYyCeO
Kuwr+/ev1533s1HewxUm1AFV89l2JH8Xjotzox+rkI5GqKFYO3uKElCU/4ldcIXf
IZgPsAGVY7eln7GyMh3wC74pc5CxBlxrEKK9GTcKa5Cg6zYHhi33k/SNqLK0p9QN
rR0JJr8WjouW4N5PD4mGBS3t3/W6GW4K+ncaQBaeH3OaMgYy+m47+dJVl1JkOaoh
K/KdyRE/h2/HqoJgzZ46
=P8pf
-END PGP SIGNATURE-
___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Re: [Unbound-users] Servers for local zones that are not signed

2012-07-06 Thread Eugene Crosser 
On 07/06/2012 03:33 PM, Jan-Piet Mens wrote:
>> So unbound asks dnsmasq for the address
>> of "myhost.lan" as it is instructed by forward-zone, gets correct result (!),
>> but then marks it bogus because it cannot establish trust chain.
> 
> You'll need
> 
> private-domain: "lan."
> domain-insecure: "lan."

Wow, that was fast!
After also adding "do-not-query-localhost: no" (and 'local-zone:
"168.192.in-addr.arpa" nodefault' for the reverse zone) it all worked!

Thanks a lot!

Any chance to make these sort of tricks more apparent in the documentation?

Eugene



signature.asc
Description: OpenPGP digital signature
___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Re: [Unbound-users] Servers for local zones that are not signed

2012-07-06 Thread Jan-Piet Mens 
> So unbound asks dnsmasq for the address
> of "myhost.lan" as it is instructed by forward-zone, gets correct result (!),
> but then marks it bogus because it cannot establish trust chain.

You'll need

private-domain: "lan."
domain-insecure: "lan."

Regards,

-JP
___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

[Unbound-users] Servers for local zones that are not signed

2012-07-06 Thread Eugene Crosser 
Hello all,

sorry if this was discussed already, I could not find the answer.

I am trying to configure unbound (1.4.5, running on openwrt) to resolve local
zones ("lan." and "168.192.in-addr.arpa.") from another DNS server that has them
(in my case, dnsmasq: I want DHCP names resolved in the .lan zone).

I configured "the other DNS server" to bind to non-standard port (5553) and put
this into unbound.conf:

forward-zone:
name: "lan."
forward-addr: 127.0.0.1@5553

(I also tried "stub-zone:" with "stub-addr:"). Now I am trying to resolve
"myhost.lan" which is registered in dnsmasq (I can get the address if I ask "dig
-p 5553 myhost.lan @"). But resolving through unbound does not
work because unbound tries to obtain the DS for "lan." from the root
nameservers. _If_ it got NODATA, everything would have been OK, I would get an
"insecure" (without 'ad') answer as from normal non-dnssec zones. But obviously
the root servers answer with NXDOMAIN. So unbound asks dnsmasq for the address
of "myhost.lan" as it is instructed by forward-zone, gets correct result (!),
but then marks it bogus because it cannot establish trust chain.

As I understand, unbound should not try to get DS from the parent of a zone that
is configured as "forward" or "stub": if it is by definition "local" then there
is no point in asking the "global authorities" to certify for it. If your local
zones _are_ signed, you should be able to add 'local-data "lan. DS ."' but
if they are _not_ signed, the resolver should behave as if the DS query returned
NODATA.

Am I missing something?
Is unbound missing something?
Is there a workaround?

Thanks,

Eugene



signature.asc
Description: OpenPGP digital signature
___
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users