void AuthPacketCache::cleanup()
{
- uint64_t maxCached = d_maxEntries;
- uint64_t cacheSize = *d_statnumentries;
- uint64_t totErased = 0;
-
- totErased = pruneLockedCollectionsVector<SequencedTag>(d_maps, maxCached, cacheSize);
+ uint64_t totErased = pruneLockedCollectionsVector<SequencedTag>(d_maps);
*d_statnumentries -= totErased;
DLOG(g_log<<"Done with cache clean, cacheSize: "<<(*d_statnumentries)<<", totErased"<<totErased<<endl);
void AuthQueryCache::cleanup()
{
- uint64_t maxCached = d_maxEntries;
- uint64_t cacheSize = *d_statnumentries;
- uint64_t totErased = 0;
-
- totErased = pruneLockedCollectionsVector<SequencedTag>(d_maps, maxCached, cacheSize);
-
+ uint64_t totErased = pruneLockedCollectionsVector<SequencedTag>(d_maps);
*d_statnumentries -= totErased;
+
DLOG(g_log<<"Done with cache clean, cacheSize: "<<*d_statnumentries<<", totErased"<<totErased<<endl);
}
moveCacheItemToFrontOrBack<S>(collection, iter, false);
}
-template <typename S, typename T> uint64_t pruneLockedCollectionsVector(vector<T>& maps, uint64_t maxCached, uint64_t cacheSize)
+template <typename S, typename T> uint64_t pruneLockedCollectionsVector(vector<T>& maps)
{
- time_t now = time(nullptr);
uint64_t totErased = 0;
- uint64_t toTrim = 0;
- uint64_t lookAt = 0;
-
- // two modes - if toTrim is 0, just look through 10% of the cache and nuke everything that is expired
- // otherwise, scan first 5*toTrim records, and stop once we've nuked enough
- if (maxCached && cacheSize > maxCached) {
- toTrim = cacheSize - maxCached;
- lookAt = 5 * toTrim;
- } else {
- lookAt = cacheSize / 10;
- }
+ time_t now = time(nullptr);
for(auto& mc : maps) {
WriteLock wl(&mc.d_mut);
+
+ uint64_t lookAt = (mc.d_map.size() + 9) / 10; // Look at 10% of this shard
+ uint64_t erased = 0;
+
auto& sidx = boost::multi_index::get<S>(mc.d_map);
- uint64_t erased = 0, lookedAt = 0;
- for(auto i = sidx.begin(); i != sidx.end(); lookedAt++) {
- if (i->ttd < now) {
+ for(auto i = sidx.begin(); i != sidx.end() && lookAt > 0; lookAt--) {
+ if(i->ttd < now) {
i = sidx.erase(i);
erased++;
} else {
++i;
}
-
- if(toTrim && erased > toTrim / maps.size())
- break;
-
- if(lookedAt > lookAt / maps.size())
- break;
}
totErased += erased;
}
nrc.set(QType::RRSIG);
if(sd.qname == name) {
nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
- nrc.set(QType::DNSKEY);
- string publishCDNSKEY;
- d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
- if (publishCDNSKEY == "1")
- nrc.set(QType::CDNSKEY);
- string publishCDS;
- d_dk.getPublishCDS(name, publishCDS);
- if (! publishCDS.empty())
- nrc.set(QType::CDS);
+ auto keyset = d_dk.getKeys(name);
+ if (!keyset.empty()) {
+ nrc.set(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ nrc.set(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getPublishCDS(name, publishCDS);
+ if (! publishCDS.empty())
+ nrc.set(QType::CDS);
+ }
}
DNSZoneRecord rr;
if (sd.qname == name) {
n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
n3rc.set(QType::NSEC3PARAM);
- n3rc.set(QType::DNSKEY);
- string publishCDNSKEY;
- d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
- if (publishCDNSKEY == "1")
- n3rc.set(QType::CDNSKEY);
- string publishCDS;
- d_dk.getPublishCDS(name, publishCDS);
- if (! publishCDS.empty())
- n3rc.set(QType::CDS);
+ auto keyset = d_dk.getKeys(name);
+ if (!keyset.empty()) {
+ n3rc.set(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ n3rc.set(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getPublishCDS(name, publishCDS);
+ if (! publishCDS.empty())
+ n3rc.set(QType::CDS);
+ }
}
B.lookup(QType(QType::ANY), name, sd.domain_id);
* Botnet Command and Control Servers
etc.
-This is because well-behaved domains tend to return fairly stable results to DNS record lookups, and thus domains which don't exhibit this behaviour may be suspsicious or may indicate a domain under attack.
+This is because well-behaved domains tend to return fairly stable results to DNS record lookups, and thus domains which don't exhibit this behaviour may be suspicious or may indicate a domain under attack.
UDR is disabled by default - to enable it, set ``unique-response-tracking=yes`` in recursor.conf.