TLS and local unbound-control

Marc Branchaud marcnarc at xiplink.com
Fri May 4 20:12:57 UTC 2018


Hi all,

(Please bear with me in the following; some of this might be mere 
correlation and not causation.)

I've recently switched from OpenSSL 0.9.8 to 1.0.1.  I've noticed that 
my unbound-control commands now take significantly longer to complete. 
The "stats" command in particular takes ~3 seconds on my (mediocre) 
hardware.

Looking at unbound-control.c, it seem like it's always using TLS to 
communicate with the unbound process, even though I use local sockets i.e.
	control-interface: /var/unbound/control-0

Am I reading the code correctly here?

If so, it seems silly to use TLS on such a connection.  Is there a 
config setting that would avoid using TLS?

(I haven't done a rigorous A/B test to see if the different OpenSSL 
version is really causing the slowdown.  Maybe the older version was 
just using lighter crypto.  But I might be barking up the completely 
wrong tree.)


On a related note, I am contemplating using stats_shm instead anyway, 
though I'm a little concerned about its connection to 
statistics-interval and logging.  That is, statistics-interval also sets 
the frequency at which the stats are logged.  If I want a small 
shm-update interval, I'm a tiny bit concerned about the extra packets 
being thrown at syslogd (even if they're ignored).  Especially if I'm 
running dozens of unbounds on some beefy-but-busy hardware.


So I'd like to request that: (a) unbound-control avoids using TLS when 
communicating over a local socket; and (b) there be a config setting to 
control only the shm stats update frequency, without the extra cruft of 
statistics-interval.

Does that sound reasonable?

Thanks,

		M.



More information about the Unbound-users mailing list