Re: Just a suspicion for now: Memory leak in 9.20.4?

2025-02-13 Thread Robert Wagner 
Not sure if we have a good howto on watching for memory leaks.  But you could 
run something like "sudo pmap [pid]" and watch it over time (like several 
days). Expect some fluctuations for load.  You may find a dependent library 
that has an issue.

Others may have better tools that are commonly found on Linux.

Some additional tools you can download:
https://www.baeldung.com/linux/memory-leak-active-process
[https://www.baeldung.com/wp-content/uploads/sites/2/2021/09/Featured-Linux-6.png]
How to Find Memory Leak of a Running Process in 
Linux
The top and htop commands both provide a high-level view of system resource 
usage, including memory consumption. htop is a better version of the top 
command that is interactive and more informative.These tools are particularly 
useful for quickly checking if a process is consuming too much memory over 
time. We’ll focus on htop for now, which can be installed using apt:
www.baeldung.com


Robert Wagner


From: bind-users  on behalf of Ondřej Surý 

Sent: Thursday, February 13, 2025 4:33 AM
To: Borja Marcos 
Cc: bind-users 
Subject: Re: Just a suspicion for now: Memory leak in 9.20.4?

This email originated from outside of TESLA

Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

The increase could be for various reasons. The query pattern is different, the 
underlying database is different, the other data structures are different. 
Unless there’s unbounded growth (in the stats), or the cache memory goes over 
configured limit, there’s nothing to worry about.

Sometimes it is possible to have smaller and faster, sometimes the smaller even 
means faster, but there are times where faster means larger.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 13. 2. 2025, at 10:16, Borja Marcos via bind-users 
>  wrote:
>
> Hi,
>
> I am running 9.18.32 and 9.20.4 on FreeBSD. I have noticed that 9.20.4 is 
> using much more memory 24 hours since restarting them, despite the fact that 
> the 9.18.32 has a higher query load.
>
> Nothing substantial now, but I would like to confirm (or not) whether someone 
> else has observed something similar.
>
> Cheers,
>
>
>
>
> Borja.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Just a suspicion for now: Memory leak in 9.20.4?

2025-02-13 Thread Ondřej Surý 
The increase could be for various reasons. The query pattern is different, the 
underlying database is different, the other data structures are different. 
Unless there’s unbounded growth (in the stats), or the cache memory goes over 
configured limit, there’s nothing to worry about.

Sometimes it is possible to have smaller and faster, sometimes the smaller even 
means faster, but there are times where faster means larger.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 13. 2. 2025, at 10:16, Borja Marcos via bind-users 
>  wrote:
> 
> Hi,
> 
> I am running 9.18.32 and 9.20.4 on FreeBSD. I have noticed that 9.20.4 is 
> using much more memory 24 hours since restarting them, despite the fact that 
> the 9.18.32 has a higher query load.
> 
> Nothing substantial now, but I would like to confirm (or not) whether someone 
> else has observed something similar.
> 
> Cheers,
> 
> 
> 
> 
> Borja.
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Just a suspicion for now: Memory leak in 9.20.4?

2025-02-13 Thread Ondřej Surý 
There’s official KB article on the topic: https://kb.isc.org/docs/bind-memory-consumption-explained - you actually need to use jeprof and understand the BIND 9 internals.Baeldung wouldn’t be my first (nor the last choice) for something that’s really useful. My feeling is they optimize content for SEO, not to help people. Nothing written on the article below is going to be actually helpful in detecting memory leaks in named.There are no “classical” memory leaks in a sense of lost pointer. There might be some data structure kept for too long or some unbounded list, but any memory lost would be quickly detected at the shutdown as there are safeguards in place.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 13. 2. 2025, at 13:47, Robert Wagner  wrote:






Not sure if we have a good howto on watching for memory leaks.  But you could run something like "sudo pmap [pid]" and watch it over time (like several days). Expect some fluctuations for load.  You may find a dependent library that has an issue.




Others may have better tools that are commonly found on Linux. 




Some additional tools you can download:

https://www.baeldung.com/linux/memory-leak-active-process











How to Find Memory Leak of a Running Process in Linux

The top and htop commands both provide a high-level view of system resource usage, including memory consumption. htop is a better version of the top command that is interactive and more informative.These tools are particularly useful for quickly checking if
 a process is consuming too much memory over time. We’ll focus on htop for now, which can be installed using apt:

www.baeldung.com











Robert Wagner





From: bind-users  on behalf of Ondřej Surý 
Sent: Thursday, February 13, 2025 4:33 AM
To: Borja Marcos 
Cc: bind-users 
Subject: Re: Just a suspicion for now: Memory leak in 9.20.4?
 


This email originated from outside of TESLA

Do not click links or open attachments unless you recognize the sender and know the content is safe.

The increase could be for various reasons. The query pattern is different, the underlying database is different, the other data structures are different. Unless there’s unbounded growth (in the stats), or the cache memory goes over configured limit, there’s
 nothing to worry about.

Sometimes it is possible to have smaller and faster, sometimes the smaller even means faster, but there are times where faster means larger.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 13. 2. 2025, at 10:16, Borja Marcos via bind-users  wrote:
>
> Hi,
>
> I am running 9.18.32 and 9.20.4 on FreeBSD. I have noticed that 9.20.4 is using much more memory 24 hours since restarting them, despite the fact that the 9.18.32 has a higher query load.
>
> Nothing substantial now, but I would like to confirm (or not) whether someone else has observed something similar.
>
> Cheers,
>
>
>
>
> Borja.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at
https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at
https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Just a suspicion for now: Memory leak in 9.20.4?

2025-02-13 Thread Borja Marcos via bind-users 
Hi,

I am running 9.18.32 and 9.20.4 on FreeBSD. I have noticed that 9.20.4 is using 
much more memory 24 hours since restarting them, despite the fact that the 
9.18.32 has a higher query load.

Nothing substantial now, but I would like to confirm (or not) whether someone 
else has observed something similar.

Cheers,




Borja.




signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debsuryorg-archive-keyring

2025-02-13 Thread Malcolm Scott via bind-users 
On Thu, 13 Feb 2025, at 16:54, Petr Špaček wrote:
>> [1] https://gitlab.isc.org/isc-projects/bind9/-/issues/5050
>
> BTW you can expedite fixing it if you test code changes in
> https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9967
> and provide feedback.

Aha -- I had missed that -- I will test it.  Thanks!

Malcolm
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debsuryorg-archive-keyring

2025-02-13 Thread Ondřej Surý 
It's absolutely ok to drop the dependency for your custom packages.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 13. 2. 2025, at 17:17, Malcolm Scott  wrote:
> 
> I mainly noticed this because I am temporarily building my own patched 
> version of your package with a workaround for the SIG(0) key limit problem I 
> reported some months back [1], and realised that if I used your sources, I'd 
> have to ship debsuryorg-archive-keyring in my own PPA too.




signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debsuryorg-archive-keyring

2025-02-13 Thread Malcolm Scott via bind-users 

Hi Ondřej,

That's a fair point; I am indeed trusting you anyway by installing your 
packages :-)


I mainly noticed this because I am temporarily building my own patched 
version of your package with a workaround for the SIG(0) key limit problem I 
reported some months back [1], and realised that if I used your sources, I'd 
have to ship debsuryorg-archive-keyring in my own PPA too.


Thanks,

Malcolm

[1] https://gitlab.isc.org/isc-projects/bind9/-/issues/5050


On Thu, 13 Feb 2025, Ondřej Surý wrote:


Hi Malcolm,

if you trust me to produce BIND 9 code directly from the upstream,
I guess that trust can be transitioned to the packaging repositories.

The packaging is created in a way that makes it easy to create
packages for both Ubuntu and Debian in the same way.

I'll add some text to the KB, thanks for raising the issue here.

Ondřej
P.S.: However, you are right that for Ubuntu PPAs there could be just
a dummy package with no keys and that would make it little less
confusing. The package is setup like this intentionally for now
and it will get gradually upgraded to the signed-by method as the
distributions supporting that will get deprecated. As of now, the
change you mentioned will be included in Debian Trixie that hasn't
been released yet, and there's too many installations that still use
the old method
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users 
 wrote:

Hi all,

With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, 
linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at 
https://launchpad.net/~isc/+archive/ubuntu/bind, depend on 
debsuryorg-archive-keyring?  That package makes Apt trust a key for an entirely 
different Apt repository, not used (as far as I can tell) by the Launchpad PPA 
at all.  (Also it installs the key into /etc/apt/trusted.gpg.d, which is 
considered insecure and deprecated [1].)

$ apt-key list
(...)
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
-
pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
 1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid   [ unknown] DEB.SURY.ORG Automatic Signing Key 
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]
(...)

(Or should I treat deb.sury.org, rather than the Launchpad PPA, as the official 
repository for these packages?)

Malcolm


[1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnsviz.net: has errors; select the "Denial of existence" DNSSEC option to see them.

2025-02-13 Thread Hans Mayer via bind-users 


Hi Taavi,
It seems I was blind and didn't see the button.
Problem solved. Iterations set to 0 and salt to null. Everything green 
now at DNSviz.


Best regards
Hans

--


On 07.02.25 17:05, Taavi Eomäe wrote:

Hi,

If you select the "Denial of existence" under options, then you will 
see the exact details behind those errors.


It seems like your NSEC3 iterations count is not 0, but it should be 0 
to alleviate computational burdens. See RFC9276, Sec. 3.1.



Best regards
Taavi


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

debsuryorg-archive-keyring

2025-02-13 Thread Malcolm Scott via bind-users 

Hi all,

With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, 
linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at 
https://launchpad.net/~isc/+archive/ubuntu/bind, depend on 
debsuryorg-archive-keyring?  That package makes Apt trust a key for an 
entirely different Apt repository, not used (as far as I can tell) by the 
Launchpad PPA at all.  (Also it installs the key into 
/etc/apt/trusted.gpg.d, which is considered insecure and deprecated [1].)


$ apt-key list
(...)
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
-
pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
  1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid   [ unknown] DEB.SURY.ORG Automatic Signing Key 
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]
(...)

(Or should I treat deb.sury.org, rather than the Launchpad PPA, as the 
official repository for these packages?)


Malcolm


[1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debsuryorg-archive-keyring

2025-02-13 Thread Ondřej Surý 
Hi Malcolm,

if you trust me to produce BIND 9 code directly from the upstream,
I guess that trust can be transitioned to the packaging repositories.

The packaging is created in a way that makes it easy to create
packages for both Ubuntu and Debian in the same way.

I'll add some text to the KB, thanks for raising the issue here.

Ondřej
P.S.: However, you are right that for Ubuntu PPAs there could be just
a dummy package with no keys and that would make it little less
confusing. The package is setup like this intentionally for now
and it will get gradually upgraded to the signed-by method as the
distributions supporting that will get deprecated. As of now, the
change you mentioned will be included in Debian Trixie that hasn't
been released yet, and there's too many installations that still use
the old method
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 13. 2. 2025, at 16:57, Malcolm Scott via bind-users 
>  wrote:
> 
> Hi all,
> 
> With apologies if this is a FAQ: why do the ISC BIND packages for Ubuntu, 
> linked from https://kb.isc.org/docs/isc-packages-for-bind-9 and published at 
> https://launchpad.net/~isc/+archive/ubuntu/bind, depend on 
> debsuryorg-archive-keyring?  That package makes Apt trust a key for an 
> entirely different Apt repository, not used (as far as I can tell) by the 
> Launchpad PPA at all.  (Also it installs the key into /etc/apt/trusted.gpg.d, 
> which is considered insecure and deprecated [1].)
> 
> $ apt-key list
> (...)
> /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
> -
> pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
>  1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
> uid   [ unknown] DEB.SURY.ORG Automatic Signing Key 
> sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]
> (...)
> 
> (Or should I treat deb.sury.org, rather than the Launchpad PPA, as the 
> official repository for these packages?)
> 
> Malcolm
> 
> 
> [1] https://salsa.debian.org/apt-team/apt/-/raw/2.9.24/debian/NEWS
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: debsuryorg-archive-keyring

2025-02-13 Thread Petr Špaček 

On 13. 02. 25 17:17, Malcolm Scott via bind-users wrote:
I mainly noticed this because I am temporarily building my own patched 
version of your package with a workaround for the SIG(0) key limit 
problem I reported some months back [1],





[1] https://gitlab.isc.org/isc-projects/bind9/-/issues/5050


BTW you can expedite fixing it if you test code changes in
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9967
and provide feedback.

Thank you for help!

--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users