From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 12 Sep 2024 14:35:08 +0000 (+0000)
Subject: fix: usr: Separate DNSSEC validation from the long-running tasks
X-Git-Tag: v9.21.2~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23b2ce56e5d907faf4d02b59e507a752d6e52f8b;p=thirdparty%2Fbind9.git

fix: usr: Separate DNSSEC validation from the long-running tasks

As part of the KeyTrap \[CVE-2023-50387\] mitigation, the DNSSEC CPU-intensive operations were offloaded to a separate threadpool that we use to run other tasks that could affect the networking latency.

If that threadpool is running some long-running tasks like RPZ, catalog zone processing, or zone file operations, it would delay DNSSEC validations to a point where the resolving signed DNS records would fail.

Split the CPU-intensive and long-running tasks into separate threadpools in a way that the long-running tasks don't block the CPU-intensive operations.

Closes #4898

Merge branch '4898-move-offloaded-DNSSEC-to-own-threads' into 'main'

See merge request isc-projects/bind9!9473
---

23b2ce56e5d907faf4d02b59e507a752d6e52f8b