From: Remi Gacogne Date: Mon, 2 Feb 2026 14:19:28 +0000 (+0100) Subject: dnsdist: Switch to cubic as default congestion algo for QUIC X-Git-Tag: rec-5.5.0-alpha0~39^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b22f8f2037d309ca5ef236d8da340dd0cfda5988;p=thirdparty%2Fpdns.git dnsdist: Switch to cubic as default congestion algo for QUIC Signed-off-by: Remi Gacogne --- diff --git a/pdns/dnsdistdist/dnsdist-settings-definitions.yml b/pdns/dnsdistdist/dnsdist-settings-definitions.yml index 0a85f82349..4ff1766731 100644 --- a/pdns/dnsdistdist/dnsdist-settings-definitions.yml +++ b/pdns/dnsdistdist/dnsdist-settings-definitions.yml @@ -1024,12 +1024,15 @@ incoming_quic: description: "Set the idle timeout, in seconds" - name: "congestion_control_algorithm" type: "String" - default: "reno" + default: "cubic" description: "The congestion control algorithm to be used" supported-values: - "reno" - "cubic" - "bbr" + changes: + - version: "2.1.0" + content: "This default used to ``reno`` and is now ``cubic``" - name: "internal_pipe_buffer_size" type: "u32" default: 1048576 diff --git a/pdns/dnsdistdist/docs/guides/dns-over-http3.rst b/pdns/dnsdistdist/docs/guides/dns-over-http3.rst index 5feeec16e2..593ce42e68 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-http3.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-http3.rst @@ -19,7 +19,7 @@ This will make :program:`dnsdist` listen on [2001:db8:1:f00::1]:443 on UDP, and The fourth parameter, if present, indicates various options. For instance, you can change the congestion control algorithm used. An example is:: - addDOH3Local('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"}) + addDOH3Local('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="cubic"}) .. code-block:: yaml @@ -31,7 +31,7 @@ The fourth parameter, if present, indicates various options. For instance, you c - certificate: "/etc/ssl/certs/example.com.pem" key: "/etc/ssl/private/example.com.key" quic: - congestion_control_algorithm: "bbr" + congestion_control_algorithm: "cubic" A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. diff --git a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst index e7d1be18bb..85e30922b7 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-quic.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-quic.rst @@ -16,7 +16,7 @@ This will make :program:`dnsdist` listen on [2001:db8:1:f00::1]:853 on UDP, and The fourth parameter, if present, indicates various options. For instance, you can change the congestion control algorithm used. An example is:: - addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="bbr"}) + addDOQLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', {congestionControlAlgo="cubic"}) .. code-block:: yaml @@ -28,7 +28,7 @@ The fourth parameter, if present, indicates various options. For instance, you c - certificate: "/etc/ssl/certs/example.com.pem" key: "/etc/ssl/private/example.com.key" quic: - congestion_control_algorithm: "bbr" + congestion_control_algorithm: "cubic" A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal. diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index ea81e1fb24..073f6e5d04 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -198,6 +198,9 @@ Listen Sockets .. versionadded:: 1.9.0 + .. versionchanged:: 2.1.0 + The default congestion algorithm used to be ``reno`` and is now ``cubic``. + Listen on the specified address and UDP port for incoming DNS over HTTP3 connections, presenting the specified X.509 certificate. See :doc:`../advanced/tls-certificates-management` for details about the handling of TLS certificates and keys. More information is available in :doc:`../guides/dns-over-http3`. @@ -215,13 +218,16 @@ Listen Sockets * ``idleTimeout=5``: int - Set the idle timeout, in seconds. * ``internalPipeBufferSize=0``: int - Set the size in bytes of the internal buffer of the pipes used internally to pass queries and responses between threads. Requires support for ``F_SETPIPE_SZ`` which is present in Linux since 2.6.35. The actual size might be rounded up to a multiple of a page size. 0 means that the OS default size is used. The default value is 0, except on Linux where it is 1048576 since 1.6.0. * ``maxInFlight=65535``: int - Maximum number of in-flight queries. The default is 0, which disables out-of-order processing. - * ``congestionControlAlgo="reno"``: str - The congestion control algorithm to be chosen between ``reno``, ``cubic`` and ``bbr``. + * ``congestionControlAlgo="cubic"``: str - The congestion control algorithm to be chosen between ``reno``, ``cubic`` and ``bbr``. * ``keyLogFile``: str - Write the TLS keys in the specified file so that an external program can decrypt TLS exchanges, in the format described in https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. .. function:: addDOQLocal(address, certFile(s), keyFile(s) [, options]) .. versionadded:: 1.9.0 + .. versionchanged:: 2.1.0 + The default congestion algorithm used to be ``reno`` and is now ``cubic``. + Listen on the specified address and UDP port for incoming DNS over QUIC connections, presenting the specified X.509 certificate. See :doc:`../advanced/tls-certificates-management` for details about the handling of TLS certificates and keys. More information is available at :doc:`../guides/dns-over-quic`. @@ -240,7 +246,7 @@ Listen Sockets * ``idleTimeout=5``: int - Set the idle timeout, in seconds. * ``internalPipeBufferSize=0``: int - Set the size in bytes of the internal buffer of the pipes used internally to pass queries and responses between threads. Requires support for ``F_SETPIPE_SZ`` which is present in Linux since 2.6.35. The actual size might be rounded up to a multiple of a page size. 0 means that the OS default size is used. The default value is 0, except on Linux where it is 1048576 since 1.6.0. * ``maxInFlight=65535``: int - Maximum number of in-flight queries. The default is 0, which disables out-of-order processing. - * ``congestionControlAlgo="reno"``: str - The congestion control algorithm to be chosen between ``reno``, ``cubic`` and ``bbr``. + * ``congestionControlAlgo="cubic"``: str - The congestion control algorithm to be chosen between ``reno``, ``cubic`` and ``bbr``. * ``keyLogFile``: str - Write the TLS keys in the specified file so that an external program can decrypt TLS exchanges, in the format described in https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. .. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options]) diff --git a/pdns/dnsdistdist/doq-common.hh b/pdns/dnsdistdist/doq-common.hh index 0ba4c28e32..0da9d13169 100644 --- a/pdns/dnsdistdist/doq-common.hh +++ b/pdns/dnsdistdist/doq-common.hh @@ -50,7 +50,7 @@ struct QuicheParams std::string d_keyLogFile; uint64_t d_idleTimeout{5}; uint64_t d_maxInFlight{65535}; - std::string d_ccAlgo{"reno"}; + std::string d_ccAlgo{"cubic"}; std::string d_alpn; };