Maintained by: NLnet Labs

[Unbound-users] recently asked questions

W.C.A. Wijngaards
Fri Oct 8 16:55:40 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi unbound-users,

In this email, I want to go over some questions that were repeatedly or
recently asked about unbound.

* About memory, how to configure its maximum?

Ok. pick the limit (32-bit linux has 3Gb per process).  Then divide by
two (for the operating system malloc overhead).  Then divide this into
RRset, msg, and other caches.  Leave a little to spare because hitting
the hard max is painful (server failure errors are sent to clients).

The divide-by-two looks bad, but it is really a very sophisticated
algorithm to even get that good.  And I do not believe unbound can do a
better job at it than your OS can.  (if you know how to do it better, we
may make unix systems the world over operate better).

So, for 3Gb, about 1.5Gb to divide over caches.  Such as rrset-cache
600M, msg-cache 300M, key-cache 100M, neg-cache 100M, infra-numhosts
100000.  This leaves some space as well.  And how did I choose these
ratios?  What I did was look at the ratios when the caches are not full
yet but are used in normal operations.  The key and neg cache values are
guesses to enable DNSSEC operations.  It is likely that DNSSEC's
deployment will change this (specifically more space for key-cache and
neg-cache).

* Denied feature request: donotquery config per port.
So that you can block specific port numbers.  Such setup could use more
localhost interfaces, for example, without needing to self-block a
specific port number.  In actuality, unbound can cope perfectly well
with sending queries to itself (I mean, it does not crash, not loop).
Thus the donotquery-localhost feature is another layer of protection.

* Denied feature request: dump_requestlist with threads
Only thread 0 is printed by unbound-control.  Printing other threads is
a lot of code, and if it is very full, is usually similar contents
anyway.  It is a debug feature.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyvMOwACgkQkDLqNwOhpPgfmwCgqL8sZY4vNNn26XyNDFJPDWa5
1gMAnjaiSGWgGkehy4UyaozFj9rOx4id
=LKkj
-----END PGP SIGNATURE-----