Marcel is one of the gentlemen who maintain the NixSPAM DNSBL, and he contacted me a few weeks ago. The project maintains very volatile DNS data on a BIND name server, and they are beginning to experience difficulties in keeping up with updates to the data. In other words, the amount of updates they want to perform per second is higher than what their current methods allow.
Even though I’m not privy to how the exactly perform the updates, the topic piqued my interest, so I thought about how they could go about speeding up dynamic DNS updates. (We’ve discussed updating the DNS before, including using SIG(0) so I won’t go into that again.)
If we look at the manual page for the
nsupdate command, there are some examples
that clearly indicate that batches of updates are possible:
This is possible only if all updates are performed for the same zone, which is the case for the NixSPAM list.
Using a bit of dnspython, I fired off 40,000 TCP signed updates to a local DNS server (localhost), in different batch sizes, listed in the first column in the table. I always started afresh, resetting the zone to serial number 1 and restarting my BIND server. Here are the results:
What is a bit surprising is that there is hardly a difference in wall clock time between batches of 250 and 500. Update: see below for a very likely reason explained by Geoff. (The final serial number in the zone is proof that batched updates are gathered together into a single transaction.)
The maximum batch size of an update depends on the length of individual updates
A records only), but we clearly see it is advantageous to batch
updates. Furthermore, update batches lower the number of zone transfers (AXFR)
and incremental zone transfers (IXFR) slave servers will have to perform.