From Newsgroup: comp.protocols.dns.bind
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RWGDEgDy35B3LviCdZtx5ZQBsrNtS6oJs
Content-Type: multipart/mixed; boundary="lEbwKlqmQVLxTa0uYvWHusXYlE3Nimweh";
protected-headers="v1"
From: Timothe Litt <
litt@acm.org>
To:
bind-users@lists.isc.org
Message-ID: <
6b87b8ed-9cb9-83cb-e273-a1e0fb105408@acm.org>
Subject: Re: Request for review of performance advice
References: <
3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org>
In-Reply-To: <
3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org>
--lEbwKlqmQVLxTa0uYvWHusXYlE3Nimweh
Content-Type: multipart/alternative;
boundary="------------0191682D136EA53E2FBCF6BC"
Content-Language: en-US
This is a multi-part message in MIME format. --------------0191682D136EA53E2FBCF6BC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
These suggestions - like most performance articles - are oriented toward achieving the highest performance with large configurations.=C2=A0 E.g. "=
How
big can/should you go to support big loads?"
That's useful for many users.=C2=A0 But there are also many people who ru=
n
smaller operations, where the goal is to provide adequate (or even
exceptional) performance with a minimum footprint. When BIND is one of
many services, overall performance can be improved by minimizing BIND's resource requirements.=C2=A0 This is also true in embedded applications,
where footprint matters.
So a discussion about how to optimize for the smaller cases - what do
you trade-off?=C2=A0 What knobs can one turn down - and how far? would be=
a
useful part of or complement to the proposed article.=C2=A0 E.g. "How sma=
ll
can/should you go when your loads are smaller?"
FWIW, a wizard - even just a spreadsheet - that encapsulates known
performance results might also be useful.=C2=A0 E.g. Given a processor, number/size of zones, query rate, & type, produce a memory size, disk &
network I/O rates, and starting configuration parameters... Obviously,
this could become arbitrarily complicated, but a simple spreadsheet with configuration (hardware & software) and performance data that's
searchable would give people a good starting point.=C2=A0 Especially if i=
t's
real-world. (It can be challenging to map artificial
"performance"/stress tests done in a development/verification
environment to the real world...)=C2=A0 While full automation can be fun,=
it's amazing how much one can get out of a spreadsheet with/autofilter.=C2=
=A0
(For the next level, pivot tables and/or charts...)
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.=20
On 07-Jul-20 21:57, Victoria Risk wrote:
A while ago we created a KB article with tips on how to improve your performance with our Kea dhcp server. The tips were fairly obvious to
our developers and this was pretty successful. We would like to do
something similar for BIND, provide a dozen or so tips for how to
maximize your throughput with BIND. However, as usual, everything is
more complicated with BIND.
Can those of you who care about performance, who have worked to
improve your performance, share some of your suggestions that have the
most impact? =C2=A0Please also comment if you think any of these ideas
below are stupid or dangerous. I have combined advice for resolvers
and for authoritative servers, I hope it is clear which is which...
The ideas we have fall into four general categories:
System design
1a) Use a load balancerto specialize your resolvers and maximize your
cache hit ratio.=C2=A0 A load balancer is traditionally designed to spr=
ead
the traffic out evenly among a pool of servers, but it can also be
used to concentrate related queries on one server to make its cache as
hot as possible. For example, if all queries for domains in .info are
sent to one server in a pool, there is a better chance that an answer
will be in the cache there.
1b) If you have a large authoritative system with many servers,
consider dedicating some machines to propagate transfers. These
machines, called transfer servers, would not answer client queries,
but just send notifies and process IXFR requests.
1c) Deploy ghost secondaries.=C2=A0 If you store copies of authoritativ=
e
zones on resolvers (resolvers as undelegated secondaries), you can
avoid querying those authoritative zones. The most obvious uses of
this would be mirroring the root zone locally or mirroring your own authoritative zones on your resolver.
we have other system design ideas that we suspect would help, but we
are not sure, so I will wait to see if anyone suggests them.
OS settings and the system environment
2a) Run on bare metal if possible, not on virtual machines or in the
cloud. (any idea how much difference this makes? the only reference we
can cite is pretty out of date -=C2=A0https://indico.dns-oarc.net/event/19/contributions/234/attachmen=
ts/217/411/DNS_perf_OARC_Apr_14.pdf
)
2b) Consider using with-tuning-large.
(https://kb.isc.org/docs/aa-01314) This is a compile time option, so
not something you can switch on and off during production.=C2=A0
2c) Consider which=C2=A0R/W lock choice you want to use - https://kb.isc.org/docs/choosing-a-read-write-lock-implementation-to-us=
e-with-named
For the highest tested query rates (> 100,000 queries per second),
pthreads read-write locks with hyper-threading=C2=A0/enabled/=C2=A0seem=
to be
the best-performing choice by far.
2d) Pay attention to your choice of NIC cards. We have found wide
variations in their performance. (Can anyone suggest what specifically
to look for?)
2e) Make sure your socket send buffers are big enough. (not sure if
this is obsolete advice, do we need to tell people how to tell if
their buffers are causing delays?)
2f)=C2=A0When the number of CPUs is very large (32 or more), the increa=
se
in UDP listeners may not provide any performance improvement and might actually reduce throughput slightly due to the overhead of the
additional structures and tasks. We suggest trying different values of
-U to find the optimal one for your production environment.
named Features
3a) Minimize logging. Query logging is expensive (can cost you 20% or
more of your throughput) so don=E2=80=99t do it unless you are using th=
e logs
for something. Logging with dnstap is lower impact, but still fairly expensive. Don=E2=80=99t run in debug mode unless necessary.
3b) Use named.conf option minimal-responses yes; to reduce the amount
of work that named needs to do to assemble the query response as well
as reducing the amount of outbound traffic
3c) Disable synth-from-dnssec. While this seemed like a good idea, it
turns out, in practice it does not improve performance.
3d) Tune your zone transfers. (https://kb.isc.org/docs/aa-00726)
When tuning the behavior of the primary, there are several factors
that you can control:
- The rate of notifications of changes to secondary servers (serial-query-rate and notify-delay)
- Limits on concurrent zone transfers (transfers-out, tcp-clients, tcp-listen-queue, reserved-sockets)
- Efficiency/management options (max-transfer-time-out, max-transfer-idle-out, transfer-format)
The most important options to focus on are transfers-out,
serial-query-rate, tcp-clients and tcp-listen-queue.
4e) If you use RPZ, consider using qnane-wait-recurse. We have had
issues with RPZ transfers impacting query performance in resolvers. In general, more smaller RPZ zones will transfer faster than a few very
large RPZ zones.=C2=A0
4f) Consider enabling prefetch on your resolver, unless you are
running 9.10 (which is EOL)=C2=A0https://kb.isc.org/docs/aa-01122
Fix your transport network.=C2=A0
Transport network issues cause BIND to keep retrying, which is a
performance drain.
4a) Disable (in some cases, completely remove in order to prevent
ongoing interference) outbound firewalls/packet-filters (particularly
that maintain state on connections). These are a frequent cause of
problems in the DNS that can cause your DNS server to do a lot of
extra work.
4b) Set an appropriate MTU for your network. Ensure that your network infrastructure supports EDNS and large UDP responses up to 4096.
Ensure that your network infrastructure allows transit for and
reassembly of fragmented UDP packets (these will be large query
responses if you are DNSSEC signing)
4c) Ensure that your network infrastructure allows DNS over TCP.
4d) Check for, and eliminate any incomplete IPv6 interface set-up
(what can go wrong here is that BIND thinksthat it can use IPv6
authoritative servers, but actually the sends silently fail, leaving
named waiting unnecessarily for responses)
Any further suggestions, corrections or warnings are very welcome.
Thank you!
Vicky
---------
Victoria Risk
Product Manager
Internet Systems Consortium
vicky@isc.org <mailto:vicky@isc.org>
--------------0191682D136EA53E2FBCF6BC
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=
</head>
<body>
<p>These suggestions - like most performance articles - are oriented
toward achieving the highest performance with large
configurations.=C2=A0 E.g. "How big can/should you go to support bi=
g
loads?"<br>
</p>
<p>That's useful for many users.=C2=A0 But there are also many people=
who
run smaller operations, where the goal is to provide adequate (or
even exceptional) performance with a minimum footprint. When BIND
is one of many services, overall performance can be improved by
minimizing BIND's resource requirements.=C2=A0 This is also true in=
embedded applications, where footprint matters.<br>
</p>
<p>So a discussion about how to optimize for the smaller cases -
what do you trade-off?=C2=A0 What knobs can one turn down - and how=
far? would be a useful part of or complement to the proposed
article.=C2=A0 E.g. "How small can/should you go when your loads ar=
e
smaller?"</p>
<p>FWIW, a wizard - even just a spreadsheet - that encapsulates
known performance results might also be useful.=C2=A0 E.g. Given a
processor, number/size of zones, query rate, & type, produce a
memory size, disk & network I/O rates, and starting
configuration parameters... Obviously, this could become
arbitrarily complicated, but a simple spreadsheet with
configuration (hardware & software) and performance data
that's searchable would give people a good starting point.=C2=A0
Especially if it's real-world. (It can be challenging to map
artificial "performance"/stress tests done in a
development/verification environment to the real world...)=C2=A0 Wh=
ile
full automation can be fun, it's amazing how much one can get out
of a spreadsheet with/autofilter.=C2=A0 (For the next level, pivot
tables and/or charts...)<br>
</p>
<pre class=3D"moz-signature" cols=3D"72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.=20
</pre>
<div class=3D"moz-cite-prefix">On 07-Jul-20 21:57, Victoria Risk
wrote:<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:%
3C3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org%3E">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DU= TF-8">
A while ago we created a KB article with tips on how to improve
your performance with our Kea dhcp server. The tips were fairly
obvious to our developers and this was pretty successful. We would
like to do something similar for BIND, provide a dozen or so tips
for how to maximize your throughput with BIND. However, as usual,
everything is more complicated with BIND.
<div class=3D""><br class=3D"">
</div>
<div class=3D"">Can those of you who care about performance, who
have worked to improve your performance, share some of your
suggestions that have the most impact? =C2=A0Please also comment =
if
you think any of these ideas below are stupid or dangerous. I
have combined advice for resolvers and for authoritative
servers, I hope it is clear which is which...<br class=3D"">
<div class=3D""><br class=3D"">
</div>
<div class=3D"">The ideas we have fall into four general
categories:</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">System design</div>
<div class=3D""><span
id=3D"docs-internal-guid-8bd01d59-7fff-de6c-6b62-d43b75bc5624=
"
class=3D""><span style=3D"font-variant-ligatures: normal; fon= t-variant-east-asian: normal; font-variant-position: normal; vertical-ali=
gn: baseline; white-space: pre-wrap;" class=3D"">1a) Use a load balancer<= /span><span style=3D"font-style: italic; font-variant-ligatures: normal; = font-variant-east-asian: normal; font-variant-position: normal; vertical-= align: baseline; white-space: pre-wrap;" class=3D""> </span><span style=3D= "font-variant-ligatures: normal; font-variant-east-asian: normal; font-va= riant-position: normal; vertical-align: baseline; white-space: pre-wrap;"=
class=3D"">to specialize your resolvers and maximize your cache hit rati= o.=C2=A0 A load balancer is traditionally designed to spread the traffic =
out evenly among a pool of servers, but it can also be used to concentrat=
e related queries on one server to make its cache as hot as possible. For=
example, if all queries for domains in .info are sent to one server in a=
pool, there is a better chance that an answer will be in the cache there= =2E</span></span></div>
<div class=3D""><br class=3D"">
</div>
<div class=3D""><span
id=3D"docs-internal-guid-a7429f5d-7fff-21f2-d35c-7c59e291531b=
"
class=3D""><span style=3D"font-variant-ligatures: normal; fon= t-variant-east-asian: normal; font-variant-position: normal; vertical-ali=
gn: baseline; white-space: pre-wrap;" class=3D"">1b) If you have a large = authoritative system with many servers, consider dedicating some machines=
to propagate transfers. These machines, called transfer servers, would n=
ot answer client queries, but just send notifies and process IXFR request= s.</span></span></div>
<div class=3D""><span class=3D""><span style=3D"font-variant-liga= tures: normal; font-variant-east-asian: normal; font-variant-position: no= rmal; vertical-align: baseline; white-space: pre-wrap;" class=3D""> </span></span></div>
<div class=3D""><span class=3D""><span style=3D"font-variant-liga= tures: normal; font-variant-east-asian: normal; font-variant-position: no= rmal; vertical-align: baseline; white-space: pre-wrap;" class=3D"">1c) De=
ploy </span></span><span style=3D"white-space: pre-wrap;" class=3D"">ghos=
t secondaries.=C2=A0 If you store copies of authoritative zones on resolv=
ers (resolvers as undelegated secondaries), you can avoid querying those = authoritative zones. The most obvious uses of this would be mirroring the=
root zone locally or mirroring your own authoritative zones on your reso= lver.</span></div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">we have other system design ideas that we suspect=
would help, but we are not sure, so I will wait to see if
anyone suggests them.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D""><span class=3D""><span style=3D"font-variant-liga= tures: normal; font-variant-east-asian: normal; font-variant-position: no= rmal; vertical-align: baseline; white-space: pre-wrap;" class=3D"">OS set= tings and the system environment</span></span></div>
<div class=3D"">2a) Run on bare metal if possible, not on virtual=
machines or in the cloud. (any idea how much difference this
makes? the only reference we can cite is pretty out of date -=C2= =A0<span style=3D"white-space: pre-wrap;" class=3D""><a href=3D"
https://i= ndico.dns-oarc.net/event/19/contributions/234/attachments/217/411/DNS_per= f_OARC_Apr_14.pdf" class=3D"" moz-do-not-send=3D"true">
https://indico.dns= -oarc.net/event/19/contributions/234/attachments/217/411/DNS_perf_OARC_Ap= r_14.pdf</a> )</span></div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">2b) Consider using with-tuning-large. (<span styl= e=3D"white-space: pre-wrap;" class=3D""><a href=3D"
https://kb.isc.org/doc= s/aa-01314" class=3D"" moz-do-not-send=3D"true">
https://kb.isc.org/docs/a= a-01314</a>) </span>This
is a compile time option, so not something you can switch on
and off during production.=C2=A0</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">2c) Consider which=C2=A0<span style=3D"font-varia= nt-ligatures: normal; font-variant-east-asian: normal; font-variant-posit=
ion: normal; vertical-align: baseline; white-space: pre-wrap;" class=3D""=
R/W lock choice you want to use - </span><span style=3D"text-decoration:=
underline; color: rgb(17, 85, 204); font-variant-ligatures: normal; font= -variant-east-asian: normal; font-variant-position: normal; text-decorati= on-skip: none; vertical-align: baseline; white-space: pre-wrap;" class=3D= ""><a href=3D"
https://kb.isc.org/docs/choosing-a-read-write-lock-implemen= tation-to-use-with-named" class=3D"" moz-do-not-send=3D"true">
https://kb.= isc.org/docs/choosing-a-read-write-lock-implementation-to-use-with-named<=
</span><span
style=3D"caret-color: rgb(34, 34, 34); color: rgb(34, 34,
34);" class=3D"">For the highest tested query rates (>
100,000 queries per second), pthreads read-write locks with
hyper-threading=C2=A0</span><em style=3D"caret-color: rgb(34,=
34,
34); color: rgb(34, 34, 34); box-sizing: border-box;"
class=3D"">enabled</em><span style=3D"caret-color: rgb(34, 34=
,
34); color: rgb(34, 34, 34);" class=3D"">=C2=A0</span><span
style=3D"caret-color: rgb(34, 34, 34); color: rgb(34, 34,
34);" class=3D"">seem to be the best-performing choice by far= =2E</span></div>
<div class=3D""><span style=3D"caret-color: rgb(34, 34, 34); colo=
r:
rgb(34, 34, 34);" class=3D""><br class=3D"">
</span></div>
<div class=3D""><span style=3D"caret-color: rgb(34, 34, 34); colo=
r:
rgb(34, 34, 34);" class=3D"">2d) Pay attention to your choice=
of NIC cards. We have found wide variations in their
performance. (Can anyone suggest what specifically to look
for?)</span></div>
<div class=3D""><span style=3D"caret-color: rgb(34, 34, 34); colo=
r:
rgb(34, 34, 34);" class=3D""><br class=3D"">
</span></div>
<div class=3D""><span style=3D"caret-color: rgb(34, 34, 34); colo=
r:
rgb(34, 34, 34);" class=3D"">2e) Make sure your socket send
buffers are big enough. (not sure if this is obsolete
advice, do we need to tell people how to tell if their
buffers are causing delays?)</span></div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">2f)=C2=A0<span
id=3D"docs-internal-guid-8d50db57-7fff-f45a-7f4d-9bbec5aebc28=
"
class=3D""><span style=3D"font-variant-ligatures: normal; fon= t-variant-east-asian: normal; font-variant-position: normal; vertical-ali=
gn: baseline; white-space: pre-wrap;" class=3D"">When the number of CPUs =
is very large (32 or more), the increase in UDP listeners may not provide=
any performance improvement and might actually reduce throughput slightl=
y due to the overhead of the additional structures and tasks. We suggest = trying different values of -U to find the optimal one for your production=
environment.</span></span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""= >named Features</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
3a) Minimize logging. Query logging is expensive (can cost you 20% or mo=
re of your throughput) so don=E2=80=99t do it unless you are using the lo=
gs for something. Logging with dnstap is lower impact, but still fairly e= xpensive. </span><span style=3D"white-space: pre-wrap;" class=3D"">Don=E2= =80=99t run in debug mode unless necessary. </span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
3b) </span><span style=3D"color: rgb(34, 34, 34); white-space: pre-wrap;=
" class=3D"">Use named.conf option minimal-responses yes; to reduce the a= mount of work that named needs to do to assemble the query response as we=
ll as reducing the amount of outbound traffic</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
3c) </span><span style=3D"white-space: pre-wrap;" class=3D"">Disable syn= th-from-dnssec. While this seemed like a good idea, it turns out, in prac=
tice it does not improve performance.</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
3d) Tune your zone transfers. </span><span style=3D"white-space: pre-wra=
p;" class=3D""> (</span><a href=3D"
https://kb.isc.org/docs/aa-00726" styl= e=3D"white-space: pre-wrap;" class=3D"" moz-do-not-send=3D"true">
https://= kb.isc.org/docs/aa-00726</a><span style=3D"white-space: pre-wrap;" class=3D= "">)</span></div>
<div class=3D"">
<p style=3D"box-sizing: border-box; margin: 0px 0px 1rem;
padding: 0px; caret-color: rgb(34, 34, 34); color: rgb(34,
34, 34);" class=3D"">When tuning the behavior of the primary,=
there are several factors that you can control:</p>
<p style=3D"box-sizing: border-box; margin: 0px 0px 1rem;
padding: 0px; caret-color: rgb(34, 34, 34); color: rgb(34,
34, 34);" class=3D"">- The rate of notifications of changes t=
o
secondary servers (serial-query-rate and notify-delay)</p>
<p style=3D"box-sizing: border-box; margin: 0px 0px 1rem;
padding: 0px; caret-color: rgb(34, 34, 34); color: rgb(34,
34, 34);" class=3D"">- Limits on concurrent zone transfers
(transfers-out, tcp-clients, tcp-listen-queue,
reserved-sockets)</p>
<p style=3D"box-sizing: border-box; margin: 0px 0px 1rem;
padding: 0px; caret-color: rgb(34, 34, 34); color: rgb(34,
34, 34);" class=3D"">- Efficiency/management options
(max-transfer-time-out, max-transfer-idle-out,
transfer-format)</p>
<p style=3D"box-sizing: border-box; margin: 0px 0px 1rem;
padding: 0px; caret-color: rgb(34, 34, 34); color: rgb(34,
34, 34);" class=3D"">The most important options to focus on
are transfers-out, serial-query-rate, tcp-clients and
tcp-listen-queue.</p>
</div>
<div class=3D"">4e) If you use RPZ, consider using
qnane-wait-recurse. We have had issues with RPZ transfers
impacting query performance in resolvers. In general, more
smaller RPZ zones will transfer faster than a few very large
RPZ zones.=C2=A0</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">4f) Consider enabling prefetch on your resolver,
unless you are running 9.10 (which is EOL)=C2=A0<a
href=3D"
https://kb.isc.org/docs/aa-01122" class=3D""
moz-do-not-send=3D"true">
https://kb.isc.org/docs/aa-01122</a>= </div>
<div class=3D""><br class=3D"">
</div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
Fix your transport network.=C2=A0</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""= >Transport network issues cause BIND to keep retrying, which is a perform=
ance drain.</span></div>
<div class=3D""><span
id=3D"docs-internal-guid-86e034a7-7fff-6820-9bb1-bcad17499827=
"
class=3D""><span style=3D"color: rgb(34, 34, 34); font-varian= t-ligatures: normal; font-variant-east-asian: normal; font-variant-positi=
on: normal; vertical-align: baseline; white-space: pre-wrap;" class=3D"">=
4a) Disable (in some cases, completely remove in order to prevent ongoing=
interference) outbound firewalls/packet-filters (particularly that maint=
ain state on connections). These are a frequent cause of problems in the =
DNS that can cause your DNS server to do a lot of extra work. </span></sp= an></div>
<div class=3D""><span class=3D""><span style=3D"color: rgb(34, 34=
, 34); font-variant-ligatures: normal; font-variant-east-asian: normal; f= ont-variant-position: normal; vertical-align: baseline; white-space: pre-= wrap;" class=3D"">
</span></span></div>
<div class=3D""><span
id=3D"docs-internal-guid-a2400cb3-7fff-8adf-a4da-1d499f82fd2f=
"
class=3D""><span style=3D"color: rgb(34, 34, 34); font-varian= t-ligatures: normal; font-variant-east-asian: normal; font-variant-positi=
on: normal; vertical-align: baseline; white-space: pre-wrap;" class=3D"">=
4b) Set an appropriate MTU for your network. Ensure that your network inf= rastructure supports EDNS and large UDP responses up to 4096. </span></sp= an><span style=3D"color: rgb(34, 34, 34); white-space: pre-wrap;" class=3D= "">Ensure that your network infrastructure allows transit for and reassem=
bly of fragmented UDP packets (these will be large query responses if you=
are DNSSEC signing)</span></div>
<div class=3D""><span style=3D"color: rgb(34, 34, 34); white-spac=
e: pre-wrap;" class=3D"">
</span></div>
<div class=3D""><span style=3D"color: rgb(34, 34, 34); white-spac=
e: pre-wrap;" class=3D"">4c) </span><span style=3D"color: rgb(34, 34, 34)=
; white-space: pre-wrap;" class=3D"">Ensure that your network infrastruct=
ure allows DNS over TCP.</span></div>
<div class=3D""><span style=3D"color: rgb(34, 34, 34); white-spac=
e: pre-wrap;" class=3D"">
</span></div>
<div class=3D""><span style=3D"color: rgb(34, 34, 34); white-spac=
e: pre-wrap;" class=3D"">4d) </span><span style=3D"color: rgb(34, 34, 34)=
; font-variant-ligatures: normal; font-variant-east-asian: normal; font-v= ariant-position: normal; vertical-align: baseline; white-space: pre-wrap;=
" class=3D"">Check for, and eliminate any incomplete IPv6 interface set-u=
p (what can go wrong here is that BIND </span><span style=3D"color: rgb(3=
4, 34, 34); font-style: italic; font-variant-ligatures: normal; font-vari= ant-east-asian: normal; font-variant-position: normal; vertical-align: ba= seline; white-space: pre-wrap;" class=3D"">thinks</span><span style=3D"co=
lor: rgb(34, 34, 34); font-variant-ligatures: normal; font-variant-east-a= sian: normal; font-variant-position: normal; vertical-align: baseline; wh= ite-space: pre-wrap;" class=3D""> that it can use IPv6 authoritative serv=
ers, but actually the sends silently fail, leaving named waiting unnecess= arily for responses)</span></div>
<div class=3D"">
<div class=3D""><br class=3D"">
</div>
</div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
Any further suggestions, corrections or warnings are very welcome. </spa= n></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""= >Thank you!</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""= >Vicky</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""= >---------</span></div>
<div class=3D""><span style=3D"white-space: pre-wrap;" class=3D""=
</span>
<div class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class=3D"">
<div class=3D"">Victoria Risk</div>
<div class=3D"">Product Manager</div>
<div class=3D"">Internet Systems Consortium</div>
<div class=3D""><a href=3D"mailto:
vicky@isc.org" class=3D=
""
moz-do-not-send=3D"true">
vicky@isc.org</a></div>
<div class=3D""><br class=3D"">
</div>
</div>
<br class=3D"Apple-interchange-newline">
</div>
<br class=3D"Apple-interchange-newline">
<br class=3D"Apple-interchange-newline">
</div>
<br class=3D"">
</div>
</div>
</blockquote>
</body>
</html>
--------------0191682D136EA53E2FBCF6BC--
--lEbwKlqmQVLxTa0uYvWHusXYlE3Nimweh--
--RWGDEgDy35B3LviCdZtx5ZQBsrNtS6oJs
Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE0UvvF0GpbrNhifE5DTaRiR4XoSQFAl8IWKoACgkQDTaRiR4X oSSeAwf9HdGDNUUmi4GHTlgKuvbjbbSdzKuwAfw8q91KLhGkqko8o++WQUFYqow/ XNr+H8DX33qRiHS3FWiliJ6vEeRuZhp0eLlBlPhEim7wtx3AmKqDhDDDbswfKjVF x4RAgf620flVwevGDiGAbPgBQM/BqQl0bOCIgI2BHpDwuHepe20L0CQblTmCem8l aWbKK1ZH3bk/l6R8iguEodDtJuaw2bYm9J2R9hq3uj0zEw17+ufHfEUmDXSkpyLb TS3nY9PZMPral/zT9j54UDQWJRutV43Mg395XRCOod3gAbfxiyyFaaDnGNU+KkFy ma0fdzCan89D/1t4KhRD0KGx/RMZXw==
=4nLJ
-----END PGP SIGNATURE-----
--RWGDEgDy35B3LviCdZtx5ZQBsrNtS6oJs--
--- Synchronet 3.18a-Linux NewsLink 1.113