fatal_exit("dnsc_apply_cfg: could not load local data");
}
env->shared_secrets_cache = slabhash_create(
- cfg->msg_cache_slabs,
+ cfg->dnscrypt_shared_secret_cache_slabs,
HASH_DEFAULT_STARTARRAY,
- 4000000,
+ cfg->dnscrypt_shared_secret_cache_size,
dnsc_shared_secrets_sizefunc,
dnsc_shared_secrets_compfunc,
dnsc_shared_secrets_delkeyfunc,
- For #1417: escape ; in dnscrypt tests.
- but reverted that, tests fails with that escape.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
- dnscrypt is not enabled.
+ dnscrypt is not enabled. And cache size configuration option.
- make depend
30 August 2017: Wouter
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
This option may be specified multiple times.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
+Give the size of the data structure in which the shared secret keys are kept
+in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
+The shared secret cache is used when a same client is making multiple queries
+using the same public key. It saves a substantial amount of CPU.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the dnscrypt shared secrets cache. Close to the number of cpus is
+a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
cfg->dnscrypt_provider = NULL;
cfg->dnscrypt_provider_cert = NULL;
cfg->dnscrypt_secret_key = NULL;
+ cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
+ cfg->dnscrypt_shared_secret_cache_slabs = 4;
#ifdef USE_IPSECMOD
cfg->ipsecmod_enabled = 1;
cfg->ipsecmod_ignore_bogus = 0;
else S_STR("dnscrypt-provider:", dnscrypt_provider)
else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
+ else S_MEMSIZE("dnscrypt-shared-secret-cache-size:",
+ dnscrypt_shared_secret_cache_size)
+ else S_POW2("dnscrypt-shared-secret-cache-slabs:",
+ dnscrypt_shared_secret_cache_slabs)
#endif
else if(strcmp(opt, "ip-ratelimit:") == 0) {
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
+ else O_MEM(opt, "dnscrypt-shared-secret-cache-size",
+ dnscrypt_shared_secret_cache_size)
+ else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
+ dnscrypt_shared_secret_cache_slabs)
#endif
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
struct config_strlist* dnscrypt_secret_key;
/** dnscrypt provider certs 1.cert */
struct config_strlist* dnscrypt_provider_cert;
+ /** memory size in bytes for dnscrypt shared secrets cache */
+ size_t dnscrypt_shared_secret_cache_size;
+ /** number of slabs for dnscrypt shared secrets cache */
+ size_t dnscrypt_shared_secret_cache_slabs;
/** IPsec module */
#ifdef USE_IPSECMOD
dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+dnscrypt-shared-secret-cache-size{COLON} {
+ YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
+dnscrypt-shared-secret-cache-slabs{COLON} {
+ YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
+%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
| ;
content_dnsc:
dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
- dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert
+ dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
+ dnsc_dnscrypt_shared_secret_cache_size |
+ dnsc_dnscrypt_shared_secret_cache_slabs
;
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
{
fatal_exit("out of memory adding dnscrypt-secret-key");
}
;
-
+dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
+ {
+ OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
+ if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
+ yyerror("memory size expected");
+ free($2);
+ }
+ ;
+dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
+ {
+ OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
+ if(atoi($2) == 0)
+ yyerror("number expected");
+ else {
+ cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
+ if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
+ yyerror("must be a power of 2");
+ }
+ free($2);
+ }
+ ;
cachedbstart: VAR_CACHEDB
{
OUTYY(("\nP(cachedb:)\n"));
projects / thirdparty / unbound.git / commitdiff
