Maintained by: NLnet Labs

[Unbound-users] RHEL 5 and Unbound

Paul Wouters
Tue Oct 19 22:29:01 CEST 2010

On Tue, 19 Oct 2010, Hayward, Bruce wrote:

> Thanks, I have already used that page on optimizing


> For my own compile I have been using:
> ./configure --prefix=/opt/unbound --with-libs=/usr/local/lib
> --libexecdir=/opt/unbound/lib --sysconfdir=/var/unbound/etc
> --sharedstatedir=/var/unbound --localstatedir=/var/unbound
> --with-conf-file=/var/unbound/etc/unbound.conf
> --with-run-dir=/var/unbound --with-chroot-dir=/var/unbound
> --with-pidfile=/var/unbound/run/ --with-username=unbound
> --with-openssl=/lib64 --without-pthreads --without-solaris-threads
> --with-libevent=/usr/local/libevent/

I would not use chroot on a dedicated nameserver. All your important stuff
is already inside the chroot, not outside it. Also, with rhel/centos you
should use and trust the SElinux policies - they provide a much better
security context without having to install or link various (sometimes outdated)
binaries or special devices or config files in the chroot. And no surprises
when sending the daemon signals and it possibly not being able to read config
files or includes anymore.

> Is the default --enable-debug?

No, it is not the default. So you should be fine. It is still surprising that
you're not outrunning bind though. Are you sure you are comparing similar
configurations, eg with DNSSEC validation and the root key loaded, and perhaps
with DLV?

What version of libevent are you using?
Why are you disabling threads?
Is it finding ssl (you did not add --with-ssl). I've seen a lot of speed differences
with different versions of openssl.