From: "Török Edwin" <edwin+ml-cerowrt@etorok.net>
To: Dave Taht <dave.taht@gmail.com>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements, some issues with bind
Date: Fri, 17 Aug 2012 23:13:13 +0300 [thread overview]
Message-ID: <502EA5D9.3000202@etorok.net> (raw)
In-Reply-To: <CAA93jw4-Arc7U+ZCMpuYY1HsqucwQ-jHFMc6iwDRk_fp+8xWPQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1691 bytes --]
On 08/17/2012 10:52 PM, Dave Taht wrote:
> On Fri, Aug 17, 2012 at 12:05 PM, Török Edwin
>> I was using unbound on openwrt for dnssec before and I haven't noticed this problem.
>
> How is that on memory and configurability?
It was quite easy to configure, and I didn't need to touch it since the initial setup.
I think I just followed the instructions for Debian:
http://wiki.debian.org/DNSSEC#Unbound
I've attached my unbound.conf here if you want to see what it knows. According to the config file
it should use a 4M cache by default.
I didn't measure memory usage, or do any other benchmark to compare it against bind.
>
>> However I had some .ro time servers configured, and apparently they use quite a wide range
>> for their RRSIG, so maybe I was just lucky not to hit a situation where both .ro and .org would fail to validate.
>> RRSIG NS 5 2 7200 20120819122953 20120720122953....
>> RRSIG NSEC 8 1 86400 20120824000000 20120816230000 ...
>>
>> While the .org RRSIG has quite a recent timestamp:
>> org. 900 IN RRSIG SOA 7 1 900 20120907184119 20120817174119
>>
>> Added the .ro timeservers to cerowrt now, and will see if the problem occurs again.
>
> You were lucky, and it will. openwrt/cerowrt can periodically write
> the current time to flash, but not often enough for dnssec on a fresh
> boot, and more often would be mildly bad on flash wear.
>
> I wasn't aware however that some timeservers were available that
[this sentence seems to have been cut off]
>
>>>> Another minor issue is that p910nd and luci-app-p910nd were not available via opkg install, but I found them on openwrt.org, so that works now.
Best regards,
--Edwin
[-- Attachment #2: unbound.conf --]
[-- Type: text/plain, Size: 2745 bytes --]
server:
verbosity: 1
interface: ::0
interface: 0.0.0.0
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
rrset-cache-slabs: 2
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
# username: "unbound"
username: ""
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
use-syslog: yes
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
# log-time-ascii: no
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound.pid"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
root-hints: "named.cache"
# Root zone trust anchor key
# Will be autoupdated by unbound in case of key change
auto-trust-anchor-file: "root.autokey"
# If you want to also do DLV validation (RFC5074),
# download http://ftp.isc.org/www/dlv/dlv.isc.org.key
# and uncomment following line:
#dlv-anchor-file: "dlv.isc.org.key"
# You can also do ITAR validation (https://itar.iana.org)
# To download and update anchors.mf file, use update-itar.sh
# from page http://www.unbound.net/documentation/howto_itar.html
#trust-anchor-file: "anchors.mf"
# If you want to forward requests to another recursive DNS server
# uncomment this. Please note that many DNS recursors do strip
# DNSSEC data, rendering unbound server unusable.
# forward-zone:
# name: "."
# forward-addr: 8.8.8.8
# forward-addr: 8.8.4.4
next prev parent reply other threads:[~2012-08-17 20:13 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 6:08 [Cerowrt-devel] cerowrt 3.3.8-17 is released Dave Taht
2012-08-13 16:06 ` Maciej Soltysiak
2012-08-13 16:20 ` Dave Taht
2012-08-15 17:23 ` Sebastian Moeller
2012-08-15 22:53 ` dpreed
2012-08-15 22:57 ` William Katsak
2012-08-16 4:54 ` Sebastian Moeller
2012-08-16 11:08 ` William Katsak
2012-08-16 17:02 ` dpreed
2012-08-20 18:17 ` Sebastian Moeller
2012-08-16 4:51 ` Sebastian Moeller
2012-08-16 4:58 ` Dave Taht
2012-08-16 6:09 ` Sebastian Moeller
2012-08-20 18:13 ` Sebastian Moeller
2012-08-16 4:08 ` Dave Taht
2012-08-16 5:15 ` Sebastian Moeller
2012-08-20 18:24 ` Sebastian Moeller
2012-08-21 2:33 ` dpreed
2012-08-21 2:44 ` Marchon
2012-08-21 5:28 ` Sebastian Moeller
2012-08-22 18:23 ` dpreed
2012-08-22 18:54 ` Dave Taht
2012-08-22 19:23 ` Kenneth Finnegan
2012-08-22 20:44 ` Dave Taht
2012-08-21 5:23 ` Sebastian Moeller
2012-08-17 8:52 ` [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements, some issues with bind Török Edwin
2012-08-17 18:05 ` Dave Taht
2012-08-17 19:05 ` Török Edwin
2012-08-17 19:52 ` Dave Taht
2012-08-17 20:13 ` Török Edwin [this message]
2012-08-18 20:16 ` Michael Richardson
2012-08-20 20:16 ` david
2012-08-20 20:41 ` George Lambert
2012-08-20 20:48 ` david
2012-08-20 21:27 ` George Lambert
2012-08-20 23:19 ` Michael Richardson
2012-08-21 22:03 ` Maciej Soltysiak
2012-08-21 22:31 ` George Lambert
2012-08-22 1:21 ` Michael Richardson
2012-08-18 9:38 ` Török Edwin
2012-08-18 10:20 ` [Cerowrt-devel] [Bloat] " Jonathan Morton
2012-08-18 17:07 ` [Cerowrt-devel] " Dave Taht
2012-08-25 13:56 ` Török Edwin
2012-08-25 18:09 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=502EA5D9.3000202@etorok.net \
--to=edwin+ml-cerowrt@etorok.net \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox