[ratelimits] Double CPU usage with RRL

William Taylor williamt at sonic.net
Tue Oct 15 18:56:10 UTC 2013 

On 2013-10-10 20:11, Vernon Schryver wrote:
>> From: William Taylor <williamt at corp.sonic.net>
> 
>> I'm seeing approx double the amount of CPU usage when RRL is enabled.
>> CPU usage is normally around 50%-60% for named but when RRL is enabled
>> it jumps to 110%-130%. Just wondering if this is expected and I just 
>> need
>> to throw more CPU at it. This is on a recursive name server btw.
> 
> A 100% penalty sounds very high based on what I understand of the BIND9
> code invoked o answer from the cache.  Never mind the even higher costs
> of recursing.  I think the RRL hash table is significantly faster than
> the BIND9 red/black tree code, and a response needs only one RRL lookup
> but often more than one forest expedition.
> 
> Do you have logging turned high enough to record every RRL action?
> Logging eats lots of CPU cycles.
> 
> 
>>        rate-limit {
>>                responses-per-second 60;
>>                nxdomains-per-second 0;
>>                ipv4-prefix-length 32;
>>                log-only yes;
>>                min-table-size 200000;
>>                max-table-size 300000;
>>        };
> 
> Why such a high general RRL limit?  Are some of your users hitting it
> with DNSBL traffic?
> 
> Why turn off NXDOMAIN rate limiting?
> As long as DNSSEC is rare, that might not matter.
> http://scoreboard.verisignlabs.com/percent-trace.png
> http://scoreboard.verisignlabs.com/
> When registrars are forced by ICANN to compete with their
> profitable commercial PKI "sidelines" by supporting DANE and TLSA,
> http://www.internetsociety.org/deploy360/blog/2013/09/icanns-2013-raa-requires-d
> omain-name-registrars-to-support-dnssec-ipv6/
> that might change.  A signed NXDOMAIN is plenty big enough to cause
> DNS reflection DoS mischief.
> 
> I trust those changes to the default table sizes are justified by
> measurements.  A DNS server that needs RRL table space to remember at
> least 200,000 responses per several seconds must be doing more than
> 20,000 qps.
> 
> 

Vernon,

   I changed min-table-size 6000, removed max-table-size and 
nxdomains-per-second. I also adjusted responses-per-second to 30.
   CPU seems to be doing fairly well. Still running in log-only mode.

   Does this latest log message indicate that I should be increasing my 
min-table-size to 19000?

   15-Oct-2013 10:08:02.964 rate-limit: info: increase from 18000 to 
19000 RRL entries with 13001 bins; average search length 1.9

More information about the ratelimits mailing list