Draft: fix: usr: Separate DNSSEC validation from the long-running tasks (!9461) · Merge requests · ISC Open Source Projects / BIND

Ondřej Surý requested to merge 4898-move-offloaded-DNSSEC-to-call_rcu-threads into ondrej/cleanup-isc_mem-api Sep 09, 2024

As part of the KeyTrap [CVE-2023-50387] mitigation, the DNSSEC CPU-intensive operations were offloaded to a separate threadpool that we use to run other tasks that could affect the networking latency.

If that threadpool is running some long-running tasks like RPZ, catalog zone processing, or zone file operations, it would delay DNSSEC validations to a point where the resolving signed DNS records would fail.

Split the CPU-intensive and long-running tasks into separate threadpools in a way that the long-running tasks don't block the CPU-intensive operations.

Closes #4898 (closed)

Edited Sep 10, 2024 by Ondřej Surý

Draft: fix: usr: Separate DNSSEC validation from the long-running tasks

Merge request reports