Commit 03be5a6b authored by Mukund Sivaraman's avatar Mukund Sivaraman
Browse files

Improve performance for delegation heavy answers and also general query performance (#44029)

parent 4c31eda5
......@@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -17,7 +17,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
send-cookie yes;
nocookie-udp-size 512;
};
......
......@@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -15,7 +15,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::3; };
recursion yes;
acache-enable yes;
dnssec-enable no;
dnssec-validation no;
server-id "ns3";
......
......@@ -49,7 +49,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.36 2011/03/21 23:47:21 tbox Exp $ */
// NS2
controls { /* empty */ };
......@@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
notify-delay 1;
minimal-responses no;
};
zone "." {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.49 2011/10/28 06:20:05 each Exp $ */
// NS3
controls { /* empty */ };
......@@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
session-keyfile "session.key";
minimal-responses no;
};
key rndc_key {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named1.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -21,10 +19,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
minimal-responses no;
nta-lifetime 10s;
nta-recheck 7s;
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -22,10 +20,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
minimal-responses no;
};
key rndc_key {
......
......@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
......@@ -21,11 +19,11 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
minimal-responses no;
};
key rndc_key {
......
......@@ -38,4 +38,48 @@ controls {
zone "." {
type hint;
file "../../common/root.hint";
}
key auth {
secret "1234abcd8765";
algorithm hmac-sha256;
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes;
zone "." {
type hint;
file "../../common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone secure.example {
type slave;
masters { 10.53.0.3; };
};
zone insecure.secure.example {
type slave;
masters { 10.53.0.2; };
};
};
......@@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
};
......
......@@ -21,7 +21,6 @@ options {
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
disable-algorithms . { DSA; };
dnssec-enable yes;
......
......@@ -1187,11 +1187,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
......@@ -1200,11 +1198,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure wildcard to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
......
......@@ -26,7 +26,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -26,7 +26,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
......
......@@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.1; };
minimal-responses no;
};
key rndc_key {
......
......@@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
minimal-responses no;
};
key rndc_key {
......
......@@ -4,13 +4,17 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: root.db,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
signed NS ns.signed
ns.signed A 10.53.0.1
ns.signed AAAA fd92:7065:b8e:ffff::1
unsigned NS ns.unsigned
ns.unsigned A 10.53.0.1
ns.unsigned AAAA fd92:7065:b8e:ffff::1
......@@ -4,12 +4,14 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: signed.db.in,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ SOA ns.signed. hostmaster.ns.signed. ( 1 3600 1200 604800 60 )
@ NS ns
@ MX 10 mx
ns A 10.53.0.1
AAAA fd92:7065:b8e:ffff::1
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment