[RPZ] performance improvements to rpz

Paul Vixie vixie at isc.org
Sat Jan 5 21:29:27 UTC 2013


testing (for correctness and performance) would be welcome for one or
both new patch sets for RPZ.

one patch just speeds up the processing of any rpz that includes nsip or
nsdname triggers. this is a small patch. note that bind does not include
these triggers in its default build as yet, so, users of these features
are somewhat rare.

the other patch is an almost-rewrite of the rpz functionality within
BIND9, and needs testing -- do not run it in production unless you're
willing to monitor it closely and take responsibility for any errors.
the rewrite is intended to speed up the multiple-RPZ case, where a
recursive name server is subscribed to a lot (like ten or twenty)
different response policy zones.

these patch sets are being released in conjunction with an updated rate
limiting patch. you should have no problems with the inclusion of rate
limiting in your rpz-controlled name servers. the update to rate
limiting is just a recent bug fix for unsigned vs. signed integers in
c-language bit fields.

http://www.redbarn.org/dns/ratelimits has the pointers to the new code,
all of which comes from vernon schryver.

paul



More information about the DNSfirewalls mailing list