[ratelimits] Double CPU usage with RRL

Manson, John John.Manson at mail.house.gov
Tue Oct 15 19:25:58 UTC 2013 

RRL is not specified for a recursive name server.

-----Original Message-----
From: ratelimits-bounces at lists.redbarn.org [mailto:ratelimits-bounces at lists.redbarn.org] On Behalf Of William Taylor
Sent: Tuesday, October 15, 2013 2:56 PM
To: ratelimits at lists.redbarn.org
Subject: Re: [ratelimits] Double CPU usage with RRL

On 2013-10-10 20:11, Vernon Schryver wrote:
>> From: William Taylor <williamt at corp.sonic.net>
> 
>> I'm seeing approx double the amount of CPU usage when RRL is enabled.
>> CPU usage is normally around 50%-60% for named but when RRL is 
>> enabled it jumps to 110%-130%. Just wondering if this is expected and 
>> I just need to throw more CPU at it. This is on a recursive name 
>> server btw.
> 
> A 100% penalty sounds very high based on what I understand of the 
> BIND9 code invoked o answer from the cache.  Never mind the even 
> higher costs of recursing.  I think the RRL hash table is 
> significantly faster than the BIND9 red/black tree code, and a 
> response needs only one RRL lookup but often more than one forest expedition.
> 
> Do you have logging turned high enough to record every RRL action?
> Logging eats lots of CPU cycles.
> 
> 
>>        rate-limit {
>>                responses-per-second 60;
>>                nxdomains-per-second 0;
>>                ipv4-prefix-length 32;
>>                log-only yes;
>>                min-table-size 200000;
>>                max-table-size 300000;
>>        };
> 
> Why such a high general RRL limit?  Are some of your users hitting it 
> with DNSBL traffic?
> 
> Why turn off NXDOMAIN rate limiting?
> As long as DNSSEC is rare, that might not matter.
> http://scoreboard.verisignlabs.com/percent-trace.png
> http://scoreboard.verisignlabs.com/
> When registrars are forced by ICANN to compete with their profitable 
> commercial PKI "sidelines" by supporting DANE and TLSA, 
> http://www.internetsociety.org/deploy360/blog/2013/09/icanns-2013-raa-
> requires-d omain-name-registrars-to-support-dnssec-ipv6/
> that might change.  A signed NXDOMAIN is plenty big enough to cause 
> DNS reflection DoS mischief.
> 
> I trust those changes to the default table sizes are justified by 
> measurements.  A DNS server that needs RRL table space to remember at 
> least 200,000 responses per several seconds must be doing more than
> 20,000 qps.
> 
> 

Vernon,

   I changed min-table-size 6000, removed max-table-size and nxdomains-per-second. I also adjusted responses-per-second to 30.
   CPU seems to be doing fairly well. Still running in log-only mode.

   Does this latest log message indicate that I should be increasing my min-table-size to 19000?

   15-Oct-2013 10:08:02.964 rate-limit: info: increase from 18000 to
19000 RRL entries with 13001 bins; average search length 1.9

_______________________________________________
ratelimits mailing list
ratelimits at lists.redbarn.org
http://lists.redbarn.org/mailman/listinfo/ratelimits

More information about the ratelimits mailing list