Excessive memory use when removing ZSK
Summary
BIND uses an excessive amount of memory when removing a ZSK with nsupdate from a very large zone file
BIND version used
BIND 9.18.15
> named -V
BIND 9.18.16 (Extended Support Version) <id:8193c9b>
running on Linux x86_64 4.18.0-477.15.1.el8_8.x86_64 #1 SMP Fri Jun 2 08:27:19 EDT 2023
built by make with '--prefix=/opt/bind-versions/bind-9.18.16' 'PKG_CONFIG_PATH=/opt/libuv-versions/libuv-1.44.2/lib/pkgconfig/'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-18)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /opt/bind-versions/bind-9.18.16/etc/named.conf
rndc configuration: /opt/bind-versions/bind-9.18.16/etc/rndc.conf
DNSSEC root key: /opt/bind-versions/bind-9.18.16/etc/bind.keys
nsupdate session key: /opt/bind-versions/bind-9.18.16/var/run/named/session.key
named PID file: /opt/bind-versions/bind-9.18.16/var/run/named/named.pid
named lock file: /opt/bind-versions/bind-9.18.16/var/run/named/named.lock
What is the current bug behavior?
Using nsupate, manually remove a ZSK from a very large zone, BIND uses a very large amount of memory and get killed by the oom manager
Relevant configuration files
See: RT #22296