Maintained by: NLnet Labs

Remote (unbound-anchor) increase CPU after unbound 1.5.8

Luiz Fernando Softov
Sun Nov 27 18:49:34 CET 2016


Thanks...

But, i can't update to openssl 1.1 yet, I have a lot of daemons and others
dependencies using libssl.

If I update, i will need to recompile and maybe debug those daemons.

So, i will continue to use the changes I have made.

2016-11-25 13:16 GMT-03:00 W.C.A. Wijngaards via Unbound-users <
unbound-users at unbound.net>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Luiz,
>
> I have fixed that it uses less CPU.  It needs openssl 1.1, and sets
> the security level to 0, and then uses no encryption (that means, even
> less CPU than dh1024 was using) over the unix socket.  The changes are
> committed to the code repository.
>
> Best regards, Wouter
>
> On 10/11/16 05:02, Luiz Fernando Softov via Unbound-users wrote:
> > ​​ Hi all.
> >
> > I have a custom daemon ​ in C​ , that connect to unbound (remove
> > control) ​​ and get stats ​​ , using stat_noreset.
> >
> > ​Using this I can create real ​-​ time stats, in interface, like ​
> > ​http://prntscr.com/d5cecc> >
> > ​So, a fter unbound 1.5.8 (eg: 1.5.9, 1.5.10) ​, using calls like
> > unbound-control does,​ the use of CPU increase significantly.
> >
> > And, it's increase de CPU of both daemons unbound and my daemon.
> >
> > ​I was thinking this is because SSL. Because I was using 1.0.1,
> > and unbound in ports (freebrs), force to install openssl 1.0.2.
> >
> > ​But, s ince I'm in loopback (localhost), ​and, ​ I'm using
> >
> > ​ control-use-cert: no ​
> >
> > ​I think this problem was introduced after the version i was using
> > before (1.5.3).​
> >
> >
> > After some research, ​reinstall​ openSSL ​ (this is hard, because i
> > need to recompile a lot of daemons after this)​ , ​ my daemon (of
> > course), use another machine, etc. ​ ​ I found ​ this​ :
> >
> > - ​ [bugzilla: 770 ] - ​F​ ix Small subgroup attack on DH used in
> > unix pipe on localhost if unbound ​ ​ control uses a unix local
> > named pipe.
> >
> > So, i get the source of 1.5.10, and make some changes to do like
> > before, in 1.5.8.
> >
> > I put back in daemon/remote.c the get_dh1024() ​ function ​ ​(​
> > With some changes, if/else like in source of 1.5.10 ​)​ .
> >
> > Then, is work well, the cpu is 0%, with the daemon calling
> > stat_noreset each second.
> >
> > You can try this, calling unbound-anchor stats_noreset, more than
> > you call, more the CPU get high.
> >
> > This change ​, in ​ bugzilla 770 ​,​ is really necessary? ​
> >
> >
> > I also ready the last comment.
> >
> > ​- ​ This is not a security issue.  The control socket is intended
> > to be protected only by Unix file and directory permissions.  The
> > only reason why the connection is encrypted is that there is no
> > clean separation in the code and adding support for an unencrypted
> > control connection would have required a huge amount of
> > refactoring.
> >
> > Since this is not a secure issue, and this can increase CPU without
> > need.
> >
> > The daemon and unbound are in the same machine, in a custom
> > release, where the user can't have access, and can't do anything.
> >
> >
> > Maybe a change in unbound, to get a new unbound.conf, to not use
> > SSL at all (i know this is hard to be done) or make it to consume
> > less CPU, alternates to use between 1024 or 2048. This is the first
> > time I am reading unbound source, and I not know much about
> > libssl.
> >
> > But, in this case, i need a way to chose between security and
> > performance.
> >
> > ​ps, I also recommend to do a if before calling SSL_CTX_set_tmp_dh
> > ​, to check if get_dh is called right.​
> >
> >
> > ​ ​ ​ dh = ​ get_dh1024(); ​​
> >
> > ​​ if (dh == NULL) {
> >
> > ​ log_crypto_err("Failed to get DH params");
> >
> > ​ daemon_remote_delete(rc); return NULL; ​​ }
> >
> > ​ if(!SSL_CTX_set_tmp_dh(rc->ctx, dh)) {​
> >
> >
> >
> >
> >
> > ​​
> >
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJYOGPhAAoJEJ9vHC1+BF+NJ88P/3MKnqe0gOs9FLSNpiiHiLR9
> Amyts5HNAHp5MuaRGISuuDMFtBTBzG7Hin0fIFYZpTpmHow03MwiE4VBVsQysDR2
> nurBOoL2h7r0lwowh0oJxYLnOVdqHkJgSFmTxdeGV2tPctC0Tm8p49bQA1J0UOBM
> BzfJpd+VbCMz1UR+OUCeEf5RdfNK6+ZG0bofLch1xqH2JyFRZWsY0e/ZfuCMBCj0
> BZ0WMbv8gKr1rIpojUtt70gJCths6p8gRa0wmhpAaLf5WVln2KbfBaUvA3ZBIFE6
> R21xUqMyZJFDtb6uLKR7oE0FU5p5UHBloCqCFgJsxcLrfpRVOnGCilzFuKww7p+K
> TwE1aGQGjotdRy1SGFBqJx+zfMCvMMmTYG2lafwCILeJXxVwkzB9TL53t905j0+z
> dpjlz79wAYQ6WoO7B8zBxh+qTWNHm436Lltdy2goehoVnwcKA6DcKNp/U+2KQCIm
> JVaI0I7Bbb9fMEkVgORxpArDiDnQah0H/AEE2v7NRp87+J/68/mcRpSf2/lXtwPr
> GWxNItQcx7BhPhm4N1n5xj5/HITjg5Kprq+RfQewfbi+tyoAR5oBjUu5cotagnfA
> Yfv3+p0DO5Rrign9ZPQWKorGw3TuasPVi2/2QtsezuQFy4mCiTKed1t0z0TtXDjh
> nN3X+k7f1YRy0Zs5Z0v4
> =CZum
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20161127/8e695944/attachment.html>