Report information
The Basics
Id:
46307
Status:
review
Priority:
Low/Low
Queue:
bind9-public
People
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
9.13
Priority:
P1 High
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
feature
Dates
Created:Tue, 17 Oct 2017 13:37:43 -0400
Updated:Wed, 06 Dec 2017 23:03:48 -0500
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 27 Sep 2017 14:18:38 -0400 Vicky Risk <vicky@isc.org> - Ticket #46119: - Ticket created
Date: Wed, 27 Sep 2017 18:18:38 +0000
From: vicky@isc.org
Subject: NXDOMAIN aggressive cache cleaning
To: bind9-public@isc.org

As discussed at all-hands, busy resolvers get a lot of NXDOMAINs which clog up the cache. We would like some sort of feature to more aggressively delete NXDOMAINs. We had wanted this for 9.12, so I am tagging it with 9.12, but I understand this is well into the stretch goal territory.
Tue, 03 Oct 2017 13:53:31 -0400 Vicky Risk <vicky@isc.org> - Ticket #46119: - Priority P2 Normal changed to P1 High
Tue, 03 Oct 2017 13:53:31 -0400 Vicky Risk <vicky@isc.org> - Ticket #46119: - Versions Planned 9.12.0 changed to 9.13.0
  Tue, 17 Oct 2017 13:37:44 -0400 Mukund Sivaraman <muks@isc.org> - Ticket created
From: "Mukund Sivaraman" <muks@isc.org>
Date: Tue, 17 Oct 2017 23:07:31 +0530
To: bind-suggest@isc.org
Subject: Some LRU tweaks for negative rdatasetheader handling

Do the following tweaks for negative rdataset handling: * rdataset->rdh_ttl is rdataset->ttl + addrdataset time * During add32(), modify code so that if the header is negative, append it at the end of the LRU list * Don't modify need_headerupdate() * During update_header(), if the header is negative: + If update_header() was called < 1 minute after addrdataset() [which can be determined by rdataset->rdh_ttl vs. rdataset->ttl vs. now], don't update the header. + Otherwise, bring the header to the front of the LRU list as currently done. ---- With these changes, during a random subdomain attack, all these negative answers will stick to the end of the LRU lists (where they'll be cleaned out first) and if a negative answer is actually re-used after a minute, then it'll be moved to the front of the LRU lists (i.e., it won't be cleaned out). We can also remove this second part if we want to be strict - i.e., just let all negative answers get cleaned up first whether they have been recently used or not. Mukund
Tue, 17 Oct 2017 14:00:44 -0400 Vicky Risk <vicky@isc.org> - Priority P1 High added
Tue, 17 Oct 2017 14:00:44 -0400 Vicky Risk <vicky@isc.org> - Severity S3 Low added
Tue, 17 Oct 2017 14:00:44 -0400 Vicky Risk <vicky@isc.org> - Versions Planned 9.13 added
  Tue, 17 Oct 2017 14:05:50 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #46307] Some LRU tweaks for negative rdatasetheader handling
Date: Tue, 17 Oct 2017 23:35:37 +0530
From: "Mukund Sivaraman" <muks@isc.org>
To: "Mukund Sivaraman via RT" <bind9-public@isc.org>

On Tue, Oct 17, 2017 at 05:37:44PM +0000, Mukund Sivaraman via RT wrote: > We can also remove this second part if we want to be strict - i.e., just > let all negative answers get cleaned up first whether they have been > recently used or not. I decided to implement this in rt46307. It's easier to implement, is more stricter. If someone actually complains that it affects performance badly, then we can look at it. So basically NEGATIVE is handled the same as ZEROTTL. It's always left towards the end of the LRU where it'll be swept first. There's a slight chance that a cache is overmem, and a negative answer that was just fetched is deleted from cache quickly (before it can be used to answer any additional queries). But an overmem situation doesn't last continuously, so this ought not to be a performance problem. Mukund
Tue, 17 Oct 2017 14:05:51 -0400 The RT System itself - Status changed from 'new' to 'open'
Tue, 17 Oct 2017 14:21:01 -0400 Vicky Risk <vicky@isc.org> - Ticket #46119: - Merged into #46307: Some LRU tweaks for negative rdatasetheader handling
Tue, 17 Oct 2017 14:21:01 -0400 Vicky Risk <vicky@isc.org> - Merged into #46307: Some LRU tweaks for negative rdatasetheader handling
Wed, 18 Oct 2017 05:43:58 -0400 Mukund Sivaraman <muks@isc.org> - Status changed from 'open' to 'review'
  Thu, 19 Oct 2017 21:02:50 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

This looks okay. I made a few stylistic tweaks (we already had macros for checking ZEROTTL and NEGATIVE and I thought it would be more readable to use them). If there's an NXDOMAIN flood and we're getting a lot of negative records put on this end of the list, will this in any way affect handling of the ZEROTTL records that would've been there there before?
Thu, 19 Oct 2017 21:03:13 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mukund Sivaraman <muks@isc.org>
  Wed, 25 Oct 2017 15:16:21 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

If I understood the discussion in this morning's support call correctly, Mark had some thoughts on a better way to do this, so I'm giving the ticket to him so he can discuss them...
Wed, 25 Oct 2017 15:16:25 -0400 Evan Hunt <Evan_Hunt@isc.org> - Stolen from Mukund Sivaraman <muks@isc.org>
Wed, 25 Oct 2017 15:16:35 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
  Tue, 07 Nov 2017 04:07:22 -0500 Mark Andrews <marka@isc.org> - Correspondence added

while there is nothing wrong with this something like rt46307_marka would most probably work better. We may want to add a named.conf knob for the TTL value.
Tue, 07 Nov 2017 18:22:15 -0500 Mark Andrews <marka@isc.org> - Untaken
  Thu, 23 Nov 2017 00:32:16 -0500 Mark Andrews <marka@isc.org> - Correspondence added

On Mon Nov 06 23:07:22 2017, marka wrote: > while there is nothing wrong with this something like > rt46307_marka would most probably work better. We may want to > add a named.conf knob for the TTL value. added named.conf knobs; system test
  Thu, 23 Nov 2017 08:59:30 -0500 Cathy Almond <cathya@isc.org> - Correspondence added

On Thu Nov 23 05:32:16 2017, marka wrote: > On Mon Nov 06 23:07:22 2017, marka wrote: > > while there is nothing wrong with this something like > > rt46307_marka would most probably work better. We may want to > > add a named.conf knob for the TTL value. > > added named.conf knobs; system test What's the new knob - noting that we already have max-ncache-ttl ?
  Thu, 23 Nov 2017 14:18:42 -0500 Evan Hunt <each@isc.org> - Correspondence added
Date: Thu, 23 Nov 2017 19:18:40 +0000
Subject: Re: [ISC-Bugs #46307] Some LRU tweaks for negative rdatasetheader handling
CC:
To: "Cathy Almond via RT" <bind9-public@isc.org>
From: "Evan Hunt" <each@isc.org>

> What's the new knob - noting that we already have max-ncache-ttl ? short-ncache-ttl.
Mon, 27 Nov 2017 00:27:58 -0500 Mukund Sivaraman <muks@isc.org> - Taken
Wed, 29 Nov 2017 11:26:13 -0500 Mukund Sivaraman <muks@isc.org> - Given to Mark Andrews <marka@isc.org>
  Wed, 06 Dec 2017 23:03:47 -0500 Mark Andrews <marka@isc.org> - Correspondence added

added code to extend the short-ncache window rather than jumping to the original tel.
Wed, 06 Dec 2017 23:03:48 -0500 Mark Andrews <marka@isc.org> - Given to Mukund Sivaraman <muks@isc.org>