Commit 03be5a6b authored by Mukund Sivaraman's avatar Mukund Sivaraman

Improve performance for delegation heavy answers and also general query performance (#44029)

parent 4c31eda5
4605. [performance] Improve performance for delegation heavy answers
and also general query performance. Removes the
acache feature that didn't significantly improve
performance. Adds a glue cache. Removes
additional-from-cache and additional-from-auth
features. Enables minimal-responses by
default. Improves performance of compression
code, owner case restoration, hash function,
etc. Uses inline buffer implementation by
default. Many other performance changes and fixes.
[RT #44029]
4604. [bug] Don't use ERR_load_crypto_strings() when building
with OpenSSL 1.1.0. [RT #45117]
......
......@@ -94,7 +94,6 @@ options {\n\
"\
recursive-clients 1000;\n\
resolver-query-timeout 10;\n\
rrset-order { order random; };\n\
# serial-queries <obsolete>;\n\
serial-query-rate 20;\n\
server-id none;\n\
......@@ -140,15 +139,13 @@ options {\n\
# topology <none>\n\
auth-nxdomain false;\n\
minimal-any false;\n\
minimal-responses false;\n\
minimal-responses true;\n\
recursion true;\n\
provide-ixfr true;\n\
request-ixfr true;\n\
request-expire true;\n\
# fetch-glue <obsolete>;\n\
# rfc2308-type1 <obsolete>;\n\
additional-from-auth true;\n\
additional-from-cache true;\n\
query-source address *;\n\
query-source-v6 address *;\n\
notify-source *;\n\
......@@ -167,9 +164,6 @@ options {\n\
check-dup-records warn;\n\
check-mx warn;\n\
check-spf warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
max-acache-size 16M;\n\
dnssec-enable yes;\n\
dnssec-validation yes; \n\
dnssec-accept-expired no;\n\
......
......@@ -108,8 +108,6 @@ struct ns_server {
unsigned int dispatchgen;
ns_dispatchlist_t dispatches;
dns_acache_t *acache;
ns_statschannellist_t statschannels;
dns_tsigkey_t *sessionkey;
......
This diff is collapsed.
......@@ -52,7 +52,6 @@
#include <bind9/check.h>
#include <dns/acache.h>
#include <dns/adb.h>
#include <dns/badcache.h>
#include <dns/cache.h>
......@@ -1279,12 +1278,14 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
#if DNS_RDATASET_FIXED
mode = DNS_RDATASETATTR_FIXEDORDER;
#else
mode = 0;
mode = DNS_RDATASETATTR_CYCLIC;
#endif /* DNS_RDATASET_FIXED */
else if (!strcasecmp(str, "random"))
mode = DNS_RDATASETATTR_RANDOMIZE;
else if (!strcasecmp(str, "cyclic"))
mode = 0;
mode = DNS_RDATASETATTR_CYCLIC;
else if (!strcasecmp(str, "none"))
mode = DNS_RDATASETATTR_NONE;
else
INSIST(0);
......@@ -2517,8 +2518,6 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
dns_zone_setview(dnszone, view);
if (view->acache != NULL)
dns_zone_setacache(dnszone, view->acache);
dns_view_addzone(view, dnszone);
}
......@@ -3310,7 +3309,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
unsigned int cleaning_interval;
size_t max_cache_size;
isc_uint32_t max_cache_size_percent = 0;
size_t max_acache_size;
size_t max_adb_size;
isc_uint32_t lame_ttl, fail_ttl;
dns_tsig_keyring_t *ring = NULL;
......@@ -3377,53 +3375,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECKM(ns_config_getport(config, &port), "port");
dns_view_setdstport(view, port);
/*
* Create additional cache for this view and zones under the view
* if explicitly enabled.
* XXX950 default to on.
*/
obj = NULL;
(void)ns_config_get(maps, "acache-enable", &obj);
if (obj != NULL && cfg_obj_asboolean(obj)) {
cmctx = NULL;
CHECK(isc_mem_create(0, 0, &cmctx));
CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
ns_g_timermgr));
isc_mem_setname(cmctx, "acache", NULL);
isc_mem_detach(&cmctx);
}
if (view->acache != NULL) {
obj = NULL;
result = ns_config_get(maps, "acache-cleaning-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_acache_setcleaninginterval(view->acache,
cfg_obj_asuint32(obj) * 60);
obj = NULL;
result = ns_config_get(maps, "max-acache-size", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isstring(obj)) {
str = cfg_obj_asstring(obj);
INSIST(strcasecmp(str, "unlimited") == 0);
max_acache_size = 0;
} else {
isc_resourcevalue_t value;
value = cfg_obj_asuint64(obj);
if (value > SIZE_MAX) {
cfg_obj_log(obj, ns_g_lctx,
ISC_LOG_WARNING,
"'max-acache-size "
"%" ISC_PRINT_QUADFORMAT "u' "
"is too large for this "
"system; reducing to %lu",
value, (unsigned long)SIZE_MAX);
value = SIZE_MAX;
}
max_acache_size = (size_t) value;
}
dns_acache_setcachesize(view->acache, max_acache_size);
}
CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL) {
......@@ -4305,32 +4256,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
/*
* Set sources where additional data and CNAME/DNAME
* targets for authoritative answers may be found.
*/
obj = NULL;
result = ns_config_get(maps, "additional-from-auth", &obj);
INSIST(result == ISC_R_SUCCESS);
view->additionalfromauth = cfg_obj_asboolean(obj);
if (view->recursion && ! view->additionalfromauth) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"'additional-from-auth no' is only supported "
"with 'recursion no'");
view->additionalfromauth = ISC_TRUE;
}
obj = NULL;
result = ns_config_get(maps, "additional-from-cache", &obj);
INSIST(result == ISC_R_SUCCESS);
view->additionalfromcache = cfg_obj_asboolean(obj);
if (view->recursion && ! view->additionalfromcache) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"'additional-from-cache no' is only supported "
"with 'recursion no'");
view->additionalfromcache = ISC_TRUE;
}
/*
* Set "allow-query-cache", "allow-query-cache-on",
* "allow-recursion", and "allow-recursion-on" acls if
......@@ -5600,8 +5525,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
* new view.
*/
dns_zone_setview(zone, view);
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
} else {
/*
* We cannot reuse an existing zone, we have
......@@ -5610,8 +5533,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setview(zone, view);
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
dns_zone_setstats(zone, ns_g_server->zonestats);
}
......@@ -5670,8 +5591,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
CHECK(dns_zone_create(&raw, mctx));
CHECK(dns_zone_setorigin(raw, origin));
dns_zone_setview(raw, view);
if (view->acache != NULL)
dns_zone_setacache(raw, view->acache);
dns_zone_setstats(raw, ns_g_server->zonestats);
CHECK(dns_zone_link(zone, raw));
}
......@@ -5768,9 +5687,6 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
CHECK(dns_acl_none(mctx, &none));
dns_zone_setqueryacl(zone, none);
dns_zone_setqueryonacl(zone, none);
......
......@@ -13,7 +13,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
......
......@@ -13,7 +13,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
......
......@@ -11,7 +11,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
......
......@@ -11,7 +11,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
......
......@@ -6,7 +6,8 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
rm -f */trusted.conf */private.conf
rm -f */core
rm -f */example.bk
rm -f */named.memstats
......
......@@ -31,9 +31,19 @@ $DSFROMKEY $kskname.key > dsset-${zone}$TP
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -21,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
......@@ -33,3 +30,4 @@ zone "." {
};
include "trusted.conf";
include "private.conf";
......@@ -21,7 +21,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
};
......
......@@ -692,8 +692,7 @@ $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......@@ -714,13 +713,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.11 2011/08/02 23:47:52 tbox Exp $ */
controls { /* empty */ };
options {
......@@ -21,6 +19,7 @@ options {
recursion no;
notify yes;
check-integrity no;
minimal-responses no;
};
zone "." {
......
......@@ -20,6 +20,7 @@ options {
notify yes;
ixfr-from-differences yes;
check-integrity no;
minimal-responses no;
};
zone "example" {
......
......@@ -21,6 +21,7 @@ options {
ixfr-from-differences yes;
check-integrity no;
no-case-compress { 10.53.0.2; };
minimal-responses no;
};
zone "example" {
......
......@@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names response warn;
notify yes;
};
......
......@@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names response fail;
notify yes;
};
......
......@@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names master ignore;
notify yes;
};
......
......@@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -17,7 +17,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
send-cookie yes;
nocookie-udp-size 512;
};
......
......@@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -15,7 +15,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::3; };
recursion yes;
acache-enable yes;
dnssec-enable no;
dnssec-validation no;
server-id "ns3";
......
......@@ -49,7 +49,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.36 2011/03/21 23:47:21 tbox Exp $ */
// NS2
controls { /* empty */ };
......@@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
notify-delay 1;
minimal-responses no;
};
zone "." {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.49 2011/10/28 06:20:05 each Exp $ */
// NS3
controls { /* empty */ };
......@@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
session-keyfile "session.key";
minimal-responses no;
};
key rndc_key {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named1.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -21,10 +19,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
minimal-responses no;
nta-lifetime 10s;
nta-recheck 7s;
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -22,10 +20,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
minimal-responses no;
};
key rndc_key {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -21,11 +19,11 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
minimal-responses no;
};
key rndc_key {
......
......@@ -38,4 +38,48 @@ controls {
zone "." {
type hint;
file "../../common/root.hint";
}
key auth {
secret "1234abcd8765";
algorithm hmac-sha256;
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes;
zone "." {
type hint;
file "../../common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone secure.example {
type slave;
masters { 10.53.0.3; };
};
zone insecure.secure.example {
type slave;
masters { 10.53.0.2; };
};
};
......@@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
};
......
......@@ -21,7 +21,6 @@ options {
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
disable-algorithms . { DSA; };
dnssec-enable yes;
......
......@@ -1187,11 +1187,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -1200,11 +1198,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure wildcard to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1