[9.20] fix: usr: Separate DNSSEC validation from the long-running tasks (!9495) · Merge requests · ISC Open Source Projects / BIND

bind-team-rw-api-rw-repo requested to merge backport-4898-move-offloaded-DNSSEC-to-own-threads-9.20 into bind-9.20 Sep 12, 2024

As part of the KeyTrap [CVE-2023-50387] mitigation, the DNSSEC CPU-intensive operations were offloaded to a separate threadpool that we use to run other tasks that could affect the networking latency.

If that threadpool is running some long-running tasks like RPZ, catalog zone processing, or zone file operations, it would delay DNSSEC validations to a point where the resolving signed DNS records would fail.

Split the CPU-intensive and long-running tasks into separate threadpools in a way that the long-running tasks don't block the CPU-intensive operations.

Closes #4898 (closed)

Backport of MR !9473 (merged)

[9.20] fix: usr: Separate DNSSEC validation from the long-running tasks

Merge request reports