# In the worst case scenario, unbound can use double the
# amount of memory allocated to a cache due to malloc overhead
+ # Even larger systems with more than 8GB of RAM
+ if [ ${mem} -ge 8192 ]; then
+ mem=1024
+
+ # Extra large systems with more than 4GB of RAM
+ elif [ ${mem} -ge 4096 ]; then
+ mem=512
+
# Large systems with more than 2GB of RAM
- if [ ${mem} -ge 2048 ]; then
+ elif [ ${mem} -ge 2048 ]; then
+ mem=256
+
+ # Medium systems with more than 1GB of RAM
+ elif [ ${mem} -ge 1024 ]; then
mem=128
# Small systems with less than 256MB of RAM
elif [ ${mem} -le 256 ]; then
- mem=8
+ mem=16
# Everything else
else
- mem=32
+ mem=64
fi
(
# We run one thread per processor
echo "num-threads: ${processors}"
+ echo "so-reuseport: yes"
# Adjust number of slabs
echo "infra-cache-slabs: ${slabs}"
echo "rrset-cache-size: $(( ${mem} / 2 ))m"
echo "msg-cache-size: $(( ${mem} / 4 ))m"
echo "key-cache-size: $(( ${mem} / 4 ))m"
+
+ # Increase parallel queries
+ echo "outgoing-range: 8192"
+ echo "num-queries-per-thread: 4096"
+
+ # Use larger send/receive buffers
+ echo "so-sndbuf: 4m"
+ echo "so-rcvbuf: 4m"
) > /etc/unbound/tuning.conf
}
# Don't do anything if DNSSEC is already activated
[ "${status}" = "no" ] && return 0
+ # Log DNSSEC status
+ echo "on" > /var/ipfire/red/dnssec-status
+
# Activate DNSSEC and flush cache with any stale and unvalidated data
unbound-control -q set_option val-permissive-mode: no
unbound-control -q flush_zone .
}
disable_dnssec() {
+ # Log DNSSEC status
+ echo "off" > /var/ipfire/red/dnssec-status
+
unbound-control -q set_option val-permissive-mode: yes
}