From patchwork Wed Mar 4 21:11:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2817 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48XmmB6rnYz3yBY for ; Wed, 4 Mar 2020 21:12:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48Xmm91gpvz1XN; Wed, 4 Mar 2020 21:12:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48Xmm90NBgz2yCf; Wed, 4 Mar 2020 21:12:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48Xmm65bvnz2xfm for ; Wed, 4 Mar 2020 21:12:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48Xmm61v1zz6g; Wed, 4 Mar 2020 21:12:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1583356326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QEWM6DRvSh4oAZf+z/jKuL0ZZZHtOSz3S5ASaUFT1JQ=; b=vK790/8GNVJfRYsZnFZjxh1KDo7xjik4jsjVdbkT/krFdJAuSADJrX7TFWe9Cvy/Q6sgfS WtPjiq+VxmNw0BDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1583356326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QEWM6DRvSh4oAZf+z/jKuL0ZZZHtOSz3S5ASaUFT1JQ=; b=IGScFsctYXXVKvOmj3fSdpQY/QKDhc2tbyGYvqQpjME9vnIYj1pyVhF4CNX04Q/b7x2U+Z VtTlby/X0i5H2+hk2MjlWjaDkuhbR7DdNp6etHHikAF/HbS63UgfSOlVLXWQJpEw2uq5Nj 7ijIKdNT/dsoAOOvsHNJk8cbzPtNP2FjFcdwkFOhpduDhsuBZj6vSAxqXIdL8L2AnU1XgK PdFAwPkTc+OFJ/e2wMy9SD90TLOSomVg642FyX5FB6ySWX6LV851AImaSklUzSpDDoyrFu SYdrxlr80KAfD1qcAljTHPfgr2KlkzV8hTC5KXyDyqYmoyI9+OzNdSlzrDL2cw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] unbound: Only launch one process Date: Wed, 4 Mar 2020 21:11:52 +0000 Message-Id: <20200304211153.1842-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" When unbound is running multiple threads, we have observed that queries where sent for each thread. Since no user should have so much DNS traffic that more than one processor core is being saturated, this is a safe change. Signed-off-by: Peter Müller Signed-off-by: Arne Fitzenreiter Signed-off-by: Michael Tremer --- src/initscripts/system/unbound | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index c845c436f..1cf26ec0e 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -191,15 +191,6 @@ write_forward_conf() { write_tuning_conf() { # https://www.unbound.net/documentation/howto_optimise.html - # Determine number of online processors - local processors=$(getconf _NPROCESSORS_ONLN) - - # Determine number of slabs - local slabs=1 - while [ ${slabs} -lt ${processors} ]; do - slabs=$(( ${slabs} * 2 )) - done - # Determine amount of system memory local mem=$(get_memory_amount) @@ -234,16 +225,6 @@ write_tuning_conf() { ( config_header - # We run one thread per processor - echo "num-threads: ${processors}" - echo "so-reuseport: yes" - - # Adjust number of slabs - echo "infra-cache-slabs: ${slabs}" - echo "key-cache-slabs: ${slabs}" - echo "msg-cache-slabs: ${slabs}" - echo "rrset-cache-slabs: ${slabs}" - # Slice up the cache echo "rrset-cache-size: $(( ${mem} / 2 ))m" echo "msg-cache-size: $(( ${mem} / 4 ))m" From patchwork Wed Mar 4 21:11:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2818 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48XmmC1jnJz3yBZ for ; Wed, 4 Mar 2020 21:12:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48Xmm96v7wz1kc; Wed, 4 Mar 2020 21:12:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48Xmm92Mj7z2ywK; Wed, 4 Mar 2020 21:12:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48Xmm66fRYz2y2d for ; Wed, 4 Mar 2020 21:12:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48Xmm64rl0z1XN; Wed, 4 Mar 2020 21:12:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1583356326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=b2y/9p1S2xcJyn4mKNoeRLc7g94w+rOSNfIdP+D0Y1k=; b=uw/zTAmwRFvUmNGPep3tQFnUmdENTrDEeNKQNPjrbKaS57J5o2gRxiKAeP9cWraIwC7fOh 0zM3i5rJF3m9h4DA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1583356326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=b2y/9p1S2xcJyn4mKNoeRLc7g94w+rOSNfIdP+D0Y1k=; b=NOkQkpORQWWP7klzUXXtxywD3Ic8O+qf+gSdxIyrbMkRhg7/yF6FdERElxJORkK3WfijBK GiEwDxg/HA+zbAg5RFhGPWOPqo9JacgvmPK4MKdiwYpnx5oy22KlLkKUd5/qTkpqqxfmmD Vj32d8Tc1kyUr9zCU4gZHF9eJhfSnr4xpzI66ugtu8D5tX++nnSQBR9WZ00ZAd3wYWW3+r Qq7kyjq8SN294gjiCCv4dIJKpKegg4NfRTcxmppkmuXJMMRCqGvg1jrSYtBXGy5Mi97tFm FUQnFwwI5b+haO6sHqFg8XB0soojA5OdlwhtdPa+Z5W+Iydt/5EolnXTrR32bw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] unbound: Disable using mixed case for DNS queries Date: Wed, 4 Mar 2020 21:11:53 +0000 Message-Id: <20200304211153.1842-2-michael.tremer@ipfire.org> In-Reply-To: <20200304211153.1842-1-michael.tremer@ipfire.org> References: <20200304211153.1842-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This seems to cause that some resolvers do not respond to queries any more until unbound falls back. To ensure better DNS performance, we disabled this. Signed-off-by: Michael Tremer --- config/unbound/unbound.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index c78ca1db7..3aab6ea46 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -42,7 +42,6 @@ server: # Hardening Options harden-large-queries: yes harden-referral-path: yes - use-caps-for-id: yes aggressive-nsec: yes # TLS